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Abstract 

The actor message-passing model of concurrent computation has inspired new ideas in the areas 
of knowledge-based systems, programming languages and their semantics, and computer systems ar- 
chitecture. The model itself grew out of computer languages such as Planner, Smalltalk, and Simula, 
and out of the use of continuations to interpret imperative constructs within X-calculus. The matli- 
ematical content of the model has been developed by Carl Hewitt, Irene Greif, Henry Baker, and 
Giuseppe Attardi. This thesis extends and unifies their work through the following observations. 

The ordering laws postulated by Hewitt and Baker can be proved using a notion of global time. 
The most general ordering laws are in fact equivalent to an axiom of realizability in global time. 
Independence results suggest that some notion of global time is essential to any model of concurrent 
computation. 

Since nondeterministic concurrency is more amdamental than detemiinistic sequential computa- 
tion there may be no need to take fixed points in the underlying domain of a power domain. Power 
domains built from incomplete domains can solve die problem of providing a fixed point semantics 
for a class of nondeterministic programming languages in which a fair merge can be written. 

The event diagrams of Greif s behavioral semantics, augmented by Baker's pending events, form 
an incomplete domain. Its power domain is Uie semantic domain in which programs written in actor- 
based languages are assigned meanings. This denotation^ semantics is compatible with behavioral 
semantics. 

The locality laws postulated by Hewitt and Baker may be proved for the semantics of an actor- 
based language. Altering die semantics slightly can falsify die locality laws. The locality laws tlius 
constrain what counts as an actor semantics. 
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Chapter 



Introduction 



Todays algorimmic programming languages were designed to express deterministic sequenUal 
algoritluns They were not designed to express algorisms for tl.e distributed computer networks and 
network-like multiprocessors that are now being designed and built. Algorithms for these networks 
and multiprocessors make use of concurrent computation and are often nondetemiinistic in that they 
do not specify a unique outcome. 

The now classic Scott-Strachey ^eory of programming language semantics deals only wiU, deter- 
ministic programn,ing languages. That is, using Are Scott-Strachey theory to describe Uk semantics 
of a language defines a unique mad.ematical object for every well-formed language consta,ct. The 
hallmark of nondeterministic programming langt.ages. however, is a kind of semantic ambiguity: 
some programs may for a given input produce any of several possible outputs. 

Why no. extend the Scott-Strachey theory by making me mathematical object corresponding 
to the output of a nondeterministic program be the set of its possible outputs? Gordon Plotkin 
has done precisely Utat in working out the theory of pt,wer domains, so called by analogy w.th 



power sets.^ Each element of a power domain is a set of possible outcomes of a nondeterministic 
program or program fragment. One of the most important shortcomings of power domains has been 
their seeming inability to deal with fair merge, finite delay, unbounded nondeterminism, and other 
manifestations of fair parallelism. 

This thesis presents a theory of semantics for a class of nondeterministic programming languages 
with fair parallelism. Specifically, this thesis is concerned with programming languages based on the 
actor model of concurrent computation.^ Actor semantics shows that power domains can be made to 
overcome the problem of fairness. 

1.1. Fairness 

Consider die problem of scheduling disk operations requested by concurrent processes. Because 
the disk is slow relative to the processes, requests should be buffered; let's call a request in die buffer 
a pending request. Two possible scheduling strategies are die First Come First Served strategy and 
the Shortest Seek Time First strategy. The First Come First Served strategy services pending requests 
in the order they arrive at die scheduler. The Shortest Seek Time First strategy attempts to minimize 
disk head motion by always servicing the pending request tiiat involves moving the disk head the 
shortest distance. In many cases the Shortest Seek Time First strategy gives better average response 
time than the First Come First Served strategy.^ Unfortunately, die Shortest Seek Time First strategy 
is incorrect because it cannot guarantee that every pending request will be serviced. 

Figure 1 shows why. Process Pq wishes to read a cylinder near die center of die disk. Process Pi 

wishes to read and write cylinders near the disk's outer edge. The disk head happens to be over Pi's 

cylinders. Suppose process Pj, in a burst of acdvity, sends fifty or so requests to die disk scheduler, all 

involving cylinders near die outer edge of die disk. Suppose furthermore dian whenever process Pi 

receives confimiation diat one of its requests has been serviced, it sends yet another request to die disk 

^G D Plolkin, "A powerdomain constaiction", SIAM J Computing 5, 3, September 1976, pages 452-487. 

^For a very diverse, nontechnical, amusing introduction to actor-based languages, see Ted Nelson [editor], "Symposium 
on actor languages". Creative Computing 6, 10, October 1980, pages 61-86, continued in Creative Computing 6, 11, 
November 1980, pages 74-94. 

•'^Micha llofri, "Disk scheduling: FCFS vs. SSTF revisited", CACM 23, IF, November 1980, pages 645-653. This article 
fails to observe that without modification the SSTI^' algorithm is incorrect. 




Figure 1. Disk cylinders accessed by two processes. 

scheduler. If the disk scheduler is using tlie Shortest Seek Time First strategy, process Pi will capture 
the disk. Process Pq will be locked out, and any disk requests made by process Pq will remain pending 
forever. That isn't fair. 

On tlie other hand the First Come First Served scheduling strategy is fair. For that very reason, 
however, it causes problems for power domain semantics. For example suppose process Po makes 
one disk request, represented by a 0, while process Pi makes infinitely many disk requests, each 
represented by a 1. This situation is diagrammed in Figure 2, where 1*^ indicates an infinite sequence 
of ones.'* As is usual in programming language semantics, time has been left out of the picture in 
order to obtain a more abstract description— but as a result it is impossible to say where the should 
appear in the output of the First Come First Served scheduler. Depending on the timing, the output 
could be any of 



''Throughout this thesis u) is the first infinite ordinal, the first infinite cardinal, and the set of natural numbers with the 
usual ordering. Identifying these three conceptually distinct objects is a vice common among mathematicians who have 
studied set theory. 
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First Come 
First Served 
Scheduler 



Figure 2. Data flow diagram of a scheduling problem. 

011111111-- 
101111111- • 
llOUUll • • 
111011111 • 

and so on. The infinite sequence of ones is not a possible output, tiiough, because it does not contain 
the that is sent to the scheduler by process Pq. In other words the First Come First Served scheduler, 
abstractly considered, performs an arbitrary fair merge on its inputs. 

Notice diat nondeterminism is a property of our abstract description of tlie First Come First 
Served scheduling algorithm, not a property of the algorithm itself. 

Nonetheless conventional power domain semantics attempts to account for nondeterminism in 
ternis of choice points within the program's execution sequence. In the case of a merge program the 
choice points represent decisions about which value to output next. Figure 3 shows the choice tree for 
a merge of and 1'^. At the beginning of execution no outputs have been produced, so the root of the 
choice tree is labelled by a special symbol _L standing for die empty output. The program must dien 
choose whether to produce or 1 as its next output. If it produces 0, each subsequent output must be 
a 1. If it produces 1, however, it faces die same choice all over again. 
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Ol'^ lOl'^ 1101'^ 11101^ 111101^ 



Figure 3. The choice tree for a merge of and 1". 

Conventional power domain semantics regards each branch of the choice tree as a possible ex- 
ecution sequence of the merge. The possible outputs of the merge are the limits of these branches. 
Observe, however, that 1'^ is the limit of the rightmost branch, so the choice tree in Figure 3 does 
not represent a fair merge of and 1'^. In fact, no such choice tree drawn according to die rules 
of conventional power domain semantics can represent the arbitrary fair merge of and 1'^. As a 
corollary, conventional power domain semantics cannot give the abstract semantics of a First Come 
First Served scheduler. 

Fair scheduling can be programmed in languages based on the actor model of computation.^ 
Conventional power domains arc therefore inadequate as a basis for actor semantics. Chapters III and 
IV develop and illustrate unconventional power domains that can deal with fair parallelism. 

^Carl Hewitt, Giuseppe Attardi, and Hcnr>' Lieberman, "Specifying and proving properties of guardians for distributed 
systems", in Semantics of Concurrent Computation, Springer- Verlag Notes in Computer Science 70, 1979. 
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1.2. Overview 

The actor message-passing model of concurrent computation has inspired new ideas in me areas 
of knowledge-based systems,^ progfamming languages and their semantics,' and computer systems 
an:hitecture.« The model itself grew out of computer languages such as Planner « Smalltalk,"- and 
Simula " and out of the use of continuations to interpret imperative constructs within X-calculus.'^ 
The mathematical content of the model has been developed by Carl Hewitt, Irene Greif,- Henry 
Baker " and Giuseppe Attardi.'^ This thesis extends and unifies their work. 

Chapter II introduces the actor model and gives a mathematical definition of the actor event 
diagrams introduced by Greif- The main result of Chapter II is that the most general ordering 
laws postulated by Hewitt and Baker" are equivalent to an axiom of realizability in global Ume. A 
strong independence result further emphasizes the importance of global Ume in the actor model, and 
suggests mat some notion of global time is essential to any model of concurrent computation. 

Chapter III dixusses nondeterminism. It argues that nondeterminism in a programming lan- 
guage semantics is better understood as incomplete specification than as random choice. It follows 
eEg Kenneth M Kahn, 'An actor-based animation language". Crea,.c Co.,«/.s 6. 11. November 1980, pages 75-84. 
VEg. Guy Uwis Steele Ir and Gerald lay Sussman, -Seheme: an interpreter for extended lambda caleulus'', M,T Al 
Memo 349, December 1975. 
8Eg the design of the Intel 432 was influenced by the Actor model. 

. IW R Pranu. ■■S.mula language ---"---« ^^ ^^1-T^:^J7S:S::'^' ^^ 

^Eg Miehael J C Gordon, ne Denomional Dcscnpnon of Proiran,mn, lMn,ua,es. Springer-Verlag, New York. 1979. 
I3..semanucs of commun«Ung parallel proeesses", MIT Project MAC Technical Report 154, September 1975. 
"•■Actor systems for real-time compumtion-, MIT ITS Technical Report 197. March 1978. 

. . ..■ A it„„rv I iPbprman "SDecifyin. and proving properties of guardians for distributed 
:s'Sl^*t%°rr.^"^r, 'S:^::^::^^^-'^^- computer science 70. 1979. 

iS"Scmantics of communicating parallel processes". 

" iriP 77 Toronto Auuusl 1977. pages 987-992. "Actors and continuous 
IIZ^. ^;>T'SSci:rnrorrormrDSri,',uIS ^^, U...... St Andrews, New Brunswick, 

Canada. August 1977. 16.1-16.21. 
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that the nondetenninism in a programming language semantics is, in David Park's term, loose non- 
determinism. i« The importance of these philosophical distinctions is that fairness implies unbounded 
nondeterminism, whereas viewing nondeterminism as random choice leads to the conclusion that all 

nondeterminism is bounded. 

What is new in Chapter III is the treatment of power domains. Instead of beginning with a 
semantics for sequential programs and then trying to extend it for nondeterministic concurrency, ac- 
tor semantics views nondeterministic concurrency as primary and obtains the semantics of sequential 
programs as a special case. The mathematical import of this approach is that there is no longer any 
need to talce fixed points in the domain underlying a power domain. As a result the underlying 
domain need not be complete. Extending the power domain construction as in Chapter III to apply 
to incomplete domains makes possible a power domain semantics for a class of nondeterministic 
programming languages in which a fair merge can be written. 

Chapter IV verifies that claim by presenting a specific power domain semantics for actor-based 
languages. The event diagrams of Greifs behavioral semantics, when augmented by Baker's pending 
events,!^ f^^ an incomplete domain. Its power domain is the semantic domain in which programs 
written in actor-based languages are assigned meanings. 

Chapter V points out that whether or not the locahty laws postulated by Hewitt and Bakei^« hold 
for a toy language depends upon details of Uie language's semantic equations. The conclusion there 
drawn is that the locality laws constitute tlie acid test of a programming language's faithfiilness to the 
actor model. Chapter V also extends the semantics of Chapter IV to deal with actor creation. 
The concluding chapter, Chapter VI, suggests some directions for further research. 
The appendixes present tlie toy language used throughout the thesis to illustrate actors. 

1.3. Related Research 

Plotkin's original power domain construction was simplified by Michael Smyth, whose paper 
i«David Park. "On the semantics of fair parallelism". University of Warwick Theory of Computation Report 31. October 
1979. 

^^" Actor systems for real-time computation". 
20"I^ws for communicating parallel processes" and "Actors and continuous functionals". 
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remains the standard introduction to the subject." A number of nondeterministic programming lan- 
guages have now been given a power domain semantics. Of these, the semantics of Communicating 
Sequential Processes^^ has had the most influence on actor semantics. 

The semantics in Chapter IV is probably the first power domain semanucs for languages with fair 
parallelism, but it is not the first power domain semantics to deal with unbounded nondetenninism. 
R J Back has given a power domain semanUcs for a language with unboundedly nondeterminisdc 
assignment statements as basic operations.^^ Three differences between Back's work and actor seman- 
tics stand out. One difl^erence is the source of nondeterminism-basic assignment statements in 
Back-s paper, message delays in actor semantics. A second difference is that Back is thinking of non- 
deterministic sequential programming languages, while actor semantics is concerned primarily with 
concurrent programming languages. The tirird difference is fliat Back's power domain apparently is 
constructed from a complete underlying domain. This ti^ird difference is not entirely clear because 
Back's power domain construction appears to be nonstandard. A similarity between Back's work and 
actor semantics is tiiat Back found it necessary to build die power domain out of execution sequences 
instead of single states: the actor power domain is built out of actor event diagrams, which may be 
tiioughtofas generalized execution sequences. 



2i"Power domains", ./ Computer and System Sciences 16, 1978, pages 23-36. 

^^Nissim Fnnccz C A R Iloare, Daniel J Ixhmann, and Willem P de Roever. -SemanUcs of nondotorminism, concurrency, 

.„d colSo^- 7 Computer ant, System Sciences .9, December 1979, pages 290-308. 

^^■■scmanucs of „nl,o„n<led nondelerminism", Maihemalisch Centrum Report IW 135/80. April 1980 
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Chapter II 



Ordering Laws 



This chapter illustrates the actor model at its most abstract. A notion of global time is introduced 
and used to prove the ordering laws postulated by Hewitt and Baker. Needlessly restrictive ordering 
laws are avoided, so Uiat axioms of realizability in global time can be shown equivalent to the ordering 
laws. The importance of global phenomena is emphasized through a strong independence result. 
Finally, a Uieorem by Hewitt and Baker is shown to remain true under laws equivalent to a weak 
axiom of global time realizability. 

11.1. The Actor Model 

Ordinary sequential compulation is the simplest case of concurrent computation, a far more 
general category that includes various kinds of parallel computation as well as the sequential case. 
While the sequential case is fairly well understood, however, general concurrent computation is not. 
There are two evident ways to develop a better theory of concurrent computation. One is to generalize 
the existing theory of sequential computation. The other is to begin with a model of concurrent com- 
putation and create an entirely new dieory tliat can be checked against current Uicory in Uie special 
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case of sequential computation. The actor model is intended to support this second sort of theoretical 
development. Generalizing existing theory, as in die first approach, can lead to significantly different 
theoretical predictions, as will appear in Chapter III. 

As a model of concurrent computation, tlie actor model emphasizes die communication occur- 
ring during computation. Examples of such communication are the signals transferred along the bus 
linking the CPU and memory of a conventional sequential computer, parameter passing between 
subroutines of a program, messages transferred between computers in a geographically distributed 
network, and process synchronization in a multiprocessing computer. All these communications may 
be considered examples of what has come to be called message passing. 

The actor model is one of a number of message passing models tliat have been developed in the 
past decade.^ These models differ in tlieir conception of message passing. For some, the mechanism 
of message passing resembles a telephone network, so that message transmission is essendally instan- 
taneous, but there are times when the line is busy and messages cannot be sent.^ For the actor model, 
however, message passing resembles mail service, so Uiat messages may always be sent but are subject 
to variable delays en route to their destinations. As a result, the actor model can be used to analyze 
distributed computer networks as well as multiprocessors and programs. 

In the actor model, each communication is described as a message arriving at a computational 
agent called an actor. Memory chips, subprograms, and endre computers are examples of diings 
that may be thought of as actors. The memory chip might receive addresses and function codes as 
messages, while the subprograms might receive values or locations of parameters, and die computer 
might receive messages as blocks or packets. The actor model refers to die arrival of a message at 
an actor as an event. Thus all events in die model are arrival events, and diere is no such diing as a 
sending event. 

The graphic representation of an event is a dot, as below. 

^Two examples are C A R Hoare, "Communicating sequential processes", CACM 21, 8, August 1978, pages 666-677, 
and George Milne and Robin Milner, "Concurrent processes and their syntax", JACM 26, 2, April 1979. pages 302- 
321. 

^'Fhis is one way to understand the semantics of "Communicating sequential processes". See Nissim Francez, CAR 
Hoare, Daniel J Ixhniann, and Willem P dc Roever, "Semantics of nondcterminism, concurrency, and communication", 
J Computer and System Sciences 19, December 1979, pages 290-308. 
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The actor that receives a message in an event is called the target of the event. The message that 
the target receives is just called the message of the event. The target and message of an event are often 

described by the notation 

[target +- message] 

which may appear beside dots representing events. 

Sometimes Uie target of an event, as a direct result of that event, will send messages to other 
actors. For example, a memory module receiving a message instructing it to fetch tlie contents of a 
certain address should respond by sending the value stored at that address to the CPU. In this case, 
the event of which the memory module is the target activates the event in which the contents of the 
specified address arrives at tlie CPU. 

The activation relation appears as an arrow in diagrams. 

[memory ^ fetch address] 

[CPU ^ contents] 

An event may activate several subsequent events. That is, the arrival of a message at an actor 
may cause that actor to send out a number of messages to other actors. The events that a given event 
activates are said to have that event as their activator. 

/^ 

Thus eo activates e,, e^, and e;,, each of which has eo as activator, eo is an example of an external 
event, that is, an event with no activator. Its cause must be external to the system being modelled, 
hence the name.^ No event has more than one activator, because the message of an event has been 

'-^r.ternal events were called initial events in Carl Hewitt and Henry Baker. "Actors and continuous ainctionals" MP 
Wo knTcontence on Formal Description of Programming Concepts, St Andrews, New Brunswick, Canada. Augus 
W leSe? ITiis usage conHicls with U.at in Carl Hewitt and He.iry Baker, "I.,ws for commun.ca mg paralle 
irociss^" IFIP-77 Toronto. August 19/7. pages 987-992. -Hie usage of the latter paper .s better n^ot.vated. smce it 
defines an initial event as an event that is initial in the activation ordering considered as a category. 
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sent only once. 

Chains of activations define the activation ordering. 



eo 



ei 




/IK" 



64 • •es • ee 

^rhus eo activates e2 which activates ee, so eo precedes e^ in the activation ordering. Similarly both 
eo and ei precede 64 in the activation ordering. 64 and 63 are not related by the activation ordering. 

Sometimes an event will not activate any other events. When that happens, the only effect of the 
event is whatever effect it may have on the (local) state of its target. Considering the memory module 
again, the message Store 7 in 321 will probably cause it to change its state. In this way events 
can influence future events even though they do no activate any events themselves. Graphically 

d • [memory 4- Store 7 in 321] 



62 v [memory *— Fetch 321] 



63-. [CPU ^ 7] 

There is no explicit path in this diagram to show that 63 depends upon ei. To remedy that the 
actor model introduces the arrival ordering of \hc memory module, which appears as a vertical line. 

e, i [memory *- Store 7 in 321] 




[memory ^ Fetch 321] 



e3*« [CPU ^ 7] 

Adding mis arrival ordering shows that ei precedes 63 in the combined ordering, which is simply the 
combination of the activation and arrival orderings. 
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The arrival ordering emphasizes that the relative order of ei and ei is significant, 
[memory +- Fetch 321] 62 
[memory ^ Store 7 in 321] ei \ e^ S [CPU ^ 0] 

Here ei does not precede 64 in the combined ordering. 

The actor model postulates an arrival ordering for each actor. These arrival orderings are sup- 
posed to be linear, which means tliat for any two events with the same target, it is always the case 
Uiat one of the two occurs first. Some fonii of arbitration may be necessary to make this supposition 
realistic, of course. 

An arrival ordering represents tlie order in which events occur at a particular target actor. Thus 
an arrival ordering represents the local time of an actor. 

Conventional models of sequential computation make use of global lime and global stale. That is, 
there is only one clock in the system, and the computation is in exactly one well-defined state at any 
given time. The transitions between global states are linearly ordered in the global time of the system, 
which is what makes sequential computation sequential. 

When computation is not sequential, the notions of global state and global time may be inap- 
propriate. An extreme example suggests why. Suppose a computer in Dallas and another one in 
Oklahoma City are linked together to amction as a dual processor. The computers are one millisecond 
apart at light speed. It is Uierefore not helpftil to insist that events occurring with megahertz fre- 
quencies at the two sites must be thought of as totally ordered in a single global time, for an event 
in Dallas clearly cannot affect any part of a hypoUietical global state on which an event nanoseconds 
later in Oklahoma City depends. Such concurrent systems are better analyzed by splitting the global 
state into local pieces and viewing the overall computation as a set of local compuUUions interacting 
tlirough message passing. 

This kind of local decomposition is important for multiprocessor systems as well as for geographi- 
cally distributed systems. Several experimental multiprocessors resemble computer networks, and 
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multiprocessor networks are becoming available commercially as well.^ 

Even large sequential programs are constructed from local modules that communicate through 
the conventional mechanisms of subprogram calls with parameters and shared variables. These 
mechanisms may also be regarded as special cases of message passing.^ 

The actor model emphasizes the ideas of local time and local state. Local times are represented 
by the arrival orderings of actors, which operate independently of each other except when they in- 
teract by means of message passing. The communications between actors are represented by the 
activation ordering. Hence the combined ordering indicates all possible dependencies among events. 
Since in the actor model events cannot be influenced by events that do not precede them in the 
combined ordering, the actor model helps to illustrate the modular structure of a computation. On the 
other hand, using a single global time to order computation events linearly makes it appear that an 
event depends upon all events that happen to come before it in global time. 



11.2. Global Time is Necessary 

Nonetheless it turns out that some notion of global time is essential to any model of concurrent 
computation. The purpose of tliis chapter is to show why tliat is so for the actor model, and to use the 
idea of global time to motivate and improve upon the ordering laws introduced by Hewitt and Baker. 

So far the arrival orderings have been required only to be total. Consider, however, an arrival 
ordering with the same order type as tlie nonpositive integers. 

^A commercial example I happen to be familiar with is the Advanced Flexible Processor built by the Information Sciences 
Division of Control Data Coiporation. Up to sixteen of these processors can be configured in a simple bidirectional 
ring network, providing a computation rate of well over a bilhon fixed point arithmetic operations per second in some 
signal processing applications. 

^Carl Hewitt, "Viewing control staicture as patterns of passing messages", Artificial Intelligence 8. 1977, pages 323-363. 
Also in Winston and Brown [ed]. Artificial Intelligence: an MIT Perspective, MIT Press. 1979. 

^Carl Hewitt and Henry Baker, "I^ws for communicating parallel processes", niP-77. Toronto, August 1977, pages 
987-992. Carl Hewitt and Hcnr> Baker. "Actors and continuous funciionals". IIIP Working Conference on Formal 
Description of Programming Concepts, St Andrews, New Brunswick, Canada, August 1977, 16,1-16.21. 



21 



e-5 

e_4 

e-3 
e-2 



This arrival ordering seems unlikely to arise in practice. For an even unlikelier arrival ordering, 
considerably harder to draw, consider the order type of the nonnegative rationals. These examples 
suggest that the actor model should place ftirther restrictions on the arrival orderings. Such restric- 
tions are stated by the ordering laws. 

For example, one ordering law states that for any two events having the same target diere are 
only finitely many events lying between them in the arrival ordering of the target. This law rules 
out arrival orderings having tlie order type of the nonnegative rationals, but does not rule out arrival 
orderings having the order type of the nonpositive integers. Another ordering law must be added to 
eliminate that order type. Other ordering laws must be stated to govern the activation ordering. To 
rule out the possibility of impossible situations arising from the interaction of allowable activation and 
arrival orderings, ordering laws must be stated for the combined ordering. 

While laws can be generated by thinking of arrival, activation, and combined orderings having 
undesirable order types and then postulating ordering laws tiiat eliminate Uiem, it would never be 
possible to have total confidence that all undesirable order types have been ruled out by such a 
process. In other words, this ad hoc approach leaves open the question of the sufficiency of the 
ordering laws. Another, less important question concerns the independence of die laws. For example, 
Hewitt and Baker conjectured tiiat tlieir law governing die combined ordering was redundant, but 

could not prove it.^ 

The questions of independence and sufficiency turn out to be related, in diat the question of in- 

^"Aclors and continuous functionals". 
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dependence points to the importance of global time, v/hich provides an intuitive basis for considering 
the question of sufficiency. 

The answer to the question of sufficiency runs as follows. The ordering laws are nothing more 
than conditions necessary for orderings to be realizable in global time. They should therefore be 
considered complete if they form a necessary and sufficient set of conditions for orderings to be 
embedded in global time. The three strongest ordering laws form such a complete set. That is 
the message of Theorem 1 of §5, wherein they are shown equivalent to a statement of global time 
realizabihty. 

As for the question of independence, the three strongest ordering laws are strictly stronger than 
the conjunction of all the other ordering laws, even in the presence of the locality law^ discussed 
in Chapter IV. In particular, tlie law governing the combined ordering is independent of the other 
laws, which explains why Hewitt and Baker were unsuccessful in proving their conjecture. The reason 
for this law's independence is that the combined ordering is a global ordering, while the other laws 
deal only with local orderings, namely the activation and arrival orderings. As shown by this law's 
independence, local laws are not by themselves enough. A global law is needed to make the actor 
model an adequate account of concurrent computation. 

M.3. A Mathematical Formulation 

So far the actor model has been de'scribed informally. A more rigorous presentation at this point 
will avoid some confusion later on, as well as provide a chance to review the model. Some details 
of the actor model, such as the contents of messages and tlie behaviors of actors, make no difference 
when discussing the ordering laws. Hence tliey will not be discussed now, but will reappear later. 
The simplified actor model used in this chapter is less detailed and more general than the versions 
considered in chapters III, iV, and V. 

The actor model is perhaps best motivated by tlie prospect of highly parallel computing machines 
consisting of dozens, hundreds, or even thousands of independent monoproccssors, each with its own 
'^Hewitt and liaker, "l^ws for communicaling parallel processes" and "Actors and continuous functionals". 
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local memory and communications processor, communicating via a high performance communica- 
tions network in a system much like the computer networks now coming into widespread use. The 
model may be thought of as an idealization of such a multiprocessor network, in which the number of 
available processors is potentially infinite, much as the tape of a Turing machine is potentially infinite. 
The primitive objects of Uie simplified model are events and actors. The actors represent com- 
puUitional agents, hi the idealization suggested above, an actor may be thought of as a program that 
has been given its very own processor on which to mn. An event represents the arrival of a message at 
a target actor. 

The model uses partial orders on these events to represent concurrency. There is a treelike 
activation ordering tliat represents causality, and a set of linear arrival orderings, one for each actor, 
that represent local times. The combined ordering is the transitive closure of the activation and arrival 
orderings, and may be considered to represent feasible concurrency. The combined ordering is similar 
to the concurrency orderings of some other models, but its decomposition into activation and arrival 
orderings is unique to the actor model. 

Write the set of events of a computation as E, and the set of actors as A. Associated with each 
event is its target actor, so let T:E -^ A be the Rmction giving the target of each event. The model 
does not need to record the sender as well as die target, because the sender can be detemiined from 
the activation ordering unless the event is external. The events with a given target are linearly ordered 
by the arrival ordering of the target, so let Arr be a collection of irreflexive total orderings —arva-^ 
defined on T~^{a), for a G A. There is also tlie activation ordering —act-^, an irreflexive partial 
order on E such Lhat no event has more than one immediate predecessor.^ 
A computation thus becomes a structure 

{E,A,T, -act-*, An). 

Not all such structures correspond to reasonable computations, however. The purpose of the ordering 

laws is to characterize those structures that represent real computations. 

^x is an immediate predecessor of z with respect to an irrenexive ordering < if a: < but there is no y such lhat 
x < 1/ < 2. 
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Figure 1. An example of an activation ordering wilh two components. 

Some readers may be uncomfortable with the infinities allowed by such a structure. The con- 
siderations of the next section will require that the set of events E be countable. E cannot be 
required to be finite because that would make the model useless for nonterminating computations. 
For the same reason there may be infinitely many external events, which are simply events having 
no predecessors in ttie activation ordering. External events are intended to represent events whose 
cause is external to Uie system being modelled, such as the event of pressing a button or kicking the 
niachine. There must be at least one such event in a nonempty computation, but tliere is no reason to 
insist that Uiere be only one. Each external event defines a component of tlie activation ordering, and 
each component is a tree with die external event as its root. See Figure 1. 

Figure 1 also illustrates Uie fact that an event can activate infinitely many events.'^ For example, 
receiving a message can cause an actor to enter an infinite loop in which it continues to send out mes- 
ial lewitt and Raker did not allow this. §8 shows how to modify a proof of Uieirs (hat assumed that events can activate 
only finitely many events. 
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sages. Another example, motivated by the language E\hev,'' is an event that results in broadcasting a 
message to every present and future actor. 

The number of actors must be potentially infinite because at times actors represent software 
entities such as programs and amctions, and in languages such as Lisp new fiinctions can be generated 
automatically and endlessly. 

11.4. Time, Causality, and Computation 

Let -> denote the combined ordering, which is tlie transitive closure of the activation ordering 
-act-^ and the arrival orderings in Arr. If an event ei precedes another event 62 in the combined 
ordering, then there exists a path of causation and local time from ej to 62. If that is so then ei must 
occur before 62 in time. It makes no difference whether time is measured in the reference frame of the 
target of ei, the target of 62, or in any other reference frame, for the existence of Uie path of causation 
and local time between ei and 62 implies that the time sequence of the two events is invariant among 
all observers. Some time relations are absolute, even in the theory of relativity. 

Pursuing Uiat thought a bit further, the theory of relativity allows each observer his or her own 
global time. These global times may differ, however, concerning the order of events whose relation in 

time is not absolute. 

There is an analogy with global time in the actor model. When ei precedes 62 in the combined 
ordering, all global times must have d happening before 62- When ei and 62 are not comparable 
under the combined ordering, however, there will be global times in which ei happens first and other 
global times in which 62 happens first. 

The mathematical notion of global time appropriate for event-structured models of computation 
is of a ftmction from tlie computation events into the real numbers. Often the global time function is 
required to be integer-valued, and that will turn out to be the case for tlie actor model, but for now it 
will just be a real-valued function. For the actor model, then, a global time is a mapping 

I 'Bill Kornfeld, "RTHHR— a parallel problem solving system", IJCAI-79, pages 490-492. 
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Figure 2. A combined ordering that is not irreflexive. (Arrival orderings point downward.) 

where 5R denotes the real numbers. 

The reason for considering global times is that commonly held notions about time and com- 
putation will constrain the stmctures possible for the combined ordering and thus allow an intuitive 
derivation of the ordering laws. 

One constraint on the global time mapping g is that cause precedes effect. Thus 

[1] g preserves the activation ordering —act-^. 

That is, if ei — ad-^ 62, then g{ei) < g(e2). 

Another constraint is that global time be consistent with all local times. Thus 

[2] g preserves all the arrival orderings —arra-^, for a G A. 

Consequentiy 

[3] g preserves the combined ordering -♦ . 



and 



[4] The combined ordering -+ is irreflexive. 



27 



[3] and [4] are equivalent to [1] and [2]. Irreflexivity of the combined ordering does not follow from 
irreflexivity of the activation and arrival orderings, as illustrated in Figure 2. It must be stated as a 
fundamental ordering law. Hewitt and Baker named it the Law of Strict Causality. 

Law of Strict Causality. The combined ordering -^ is an irreflexive partial ordering. 

So-called Zeno machines are paradoxical machines that can do infinitely many things in a finite 
amount of time. An example is Hufl^man's Lamp, which when switched on lights for only thirty 
seconds before turning itself off for fifteen seconds, and then comes back on for seven and a half 
seconds before turning off for three and three quarters seconds, and so on. After one minute it 
ceases to change sUUe. At one second into tlie second minute, is it on or off7 Zeno machines, if they 
existed, could be used for many use^l purposes such as providing a decision procedure for first order 
predicate calculus. The feet that tliey do not exist leads to requiring that 

[5] The range o^g has no accumulation points. 

Equivalently, no bounded interval in ^R contains infinitely many images of E under g. Equivalently, 
because the combined ordering is irreflexive, a global time g can be found tliat is integer-valued and 
one-to-one. 

^rogctl\er with [5] above, the following implies diat there is a first event, and thus that the 
computation has a definite beginning. 

[6] the range of p is a subset of the nonnegative real numbers. 

Putting the above constraints together yields tlie fundamental axiom on actor orderings, the 

(Strong) Axiom of Rcaiizability. There exists a one-to-one mapping g from the events E into 
the nonnegative reals that preserves the combined ordering -^ and such that g^^I) is finite for every 
hounded interval I of 5R. Equivalently there exists a one-to-one mapping g:E -^ to that preserves -v. 
where u) is the set of natural numbers. 
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Occasionally tliere may be reason to weaken this axiom slightly by not assuming a definite begin- 
ning to the computation as in [6]. For example, many properties of a computer network that has been 
operating continuously for years will in no way depend upon there having been a time before the 
system was brought up, and so any proof that made use of that fact would be suspect. On the other 
hand, if the assumption really is necessary to the proof, then diat tells something about the property 
being proved, namely diat it depends upon the existence of some initial state. For these reasons, and 
against the chance that steady state theory may come back into fashion in cosmology, this chapter will 
also consider the 

Weak Axiom of Rcali/ability. There exists a one-to-one mapping gfrom the events E into the real 
numbers 5R that preserves the combined ordering -» and such that G-\l) is finite for every bounded 
interval I of 5R. Equivalently there exists a one-to-one mapping g:E -> Z that preserves -^, where Z is 
the set of integers. 

As will be shown, the ordering laws follow from the definition of tlie structure 

(E, A, T, —act-^, Arr) 

together with one of tiie versions of the reafizability axiom. 

Two of the ordering laws stated by Hewitt and Baker do not so follow, however, and are not in 
fact true in the system of Uiis chapter. One of tlie laws asserted the existence of an initial event preced- 
ing all other events in the activation ordering. This was nothing more than a simplifying assumption 
appearing only in the paper "Laws for communicating parallel processes". The other asserted tliat 
an event can activate only finitely many events. The previous section gave two examples to justify 
omitting this law, one of diem being the possibility of an actor entering an infinite sending loop. 
Apparently Baker wished to rule out the possibility of loops internal to actors.^^ It is also possible 
tliat die choice of Uic phrase "immediate successors in the acdvation ordering", while well grounded 
in established maUiematical usage, may have led to Uiinking of immediate in the sense of time rather 

dian in the sense of being without intervening events.^^ 

i^iicniT Baker. "Actor systems for real-time computation", MIT LCS Technical Report 197. March 1978. page 64. 

^•Ubid, page 37. 
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11.5. The Strong Axiom of Realizabllity 

An actor event diagram is defined to be a structure 

(E, A, T, -act-^, Arr) 

that satisfies the strong Axiom of ReaHzabihty, where E and A are arbitrary sets and T, —ad-*, and 
Arr are as described in §3. This section considers the ordering laws as consequences of that definition, 
while the next section considers weaker ordering laws that still hold when the strong axiom is replaced 
by the Weak Axiom of Realizabllity. 

The global time g whose existence is asserted by the axioms of realizabllity is not part of the 
structure of an actor event diagram. I'he axioms assert only that it is possible to embed the activation 
and arrival orderings in time in a certain way. Generally Uiere are many acceptable embeddings. 
Thus, altliough a particular actor event diagram must be realizable in time, no time sequencing is 
associated with it except the combined ordering. FurUiermore, as shown by the main Uieorems of this 
and die next section, die realizabllity axioms are equivalent to certain simple ordering laws, so that the 
set of actor event diagrams may be defined using die ordering laws instead of a realizabllity axiom, 
and the definition need never explicidy mention global times at all. 

Apparendy the global time itself is seldom needed in practice. The mere possibility of one is 
quite constraining, implying as it does die ordering laws, and die ordering laws are generally more 
convenient for proofs. It is usually easier to prove properties of computations by considering die 
partial orderings diemselves dian by considering all possible global Umes, since in considering all 
possible linearizations of die pardal orders in global time die proof sdll has to rely on properties of die 
parual orders. Hence dierc is no point to disguising die parUal orders by mapping diem into linear 

dme. 

As an example, consider the parallelism fork and join in Figure 3. Here an actor executing 
a process sends messages to two other actors asking diem to start subprocesses to be computed in 
parallel with the main process. Either subprocess may finish and return its result first, so Figure 3 
shows two possibiliues for die join. Each actor event diagram in Figure 3 can be embedded in dme in 
essenually diree ways. For the event diagram on the left, the order of events in global dme must be 
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Figure 3. Parallelism fork and join. 

one of 

60,62,61,63,64 

eo, ei, 62, 63, 64 
60,61,63,62,64 

but it makes no difference which. Hence the additional ordering information given by the global time 
is useless. Since the global time disguises the fact that 62 and 63 cannot influence one another, the 
global time actually gives less information than the actor event diagram. 

An excepdonal situation when it is just as efficient to consider all global dmes arises when con- 
sidering all interleavings of elementary operations in a multiprocessor system where communication 
is by means of shared rnemory.^'^ In this instance the possible arrival orderings of the shared memory 
when considered as an actor are essentially the same as the possible interleavings, so there is nothing 
to gain from the actor point of view. In short, the local time of die memory is effectively the global 
time of the system. In less centralized, more modular systems, however, considering the partial or- 
ders direcdy is superior to considering their many linearizations. Once tlie ordering laws and their 
equivalence to the global time axioms have been derived, Uierefore, the realizability axioms will have 
fulfilled their main purpose. 

Most logics that have been proposed for reasoning about parallel programs are based upon 
sequences of global st^Ues. The realizability axioms suggest diat die actor model may be made com- 

^■^Scc for example J M Cadiou and J J Lx;vy, "Mechanizable proofs aboiil parallel processes", Proceedings 14th Annual 
Symposium on Switching and Aiilomala Theory, October 1973, pages 34-48. 
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patible with these logics by treating an event as a change of global state, so that a global time specifies 
a sequence of global states. To do so, however, is to sacrifice the advantages being claimed for the 
actor model. The actor model requires its own verification logic, which remains to be developed. The 
semantics presented in Chapter III may be used to justify tlie proof rules of such a logic. 

The first two ordering laws follow from eitlier the weak or tlie strong realizability axiom. They 
are the 

Law of Strict Causality (LSC). For noe GT^ doese -^ e. 

and the 

Law of Countabih'ty (LC). There are at most countably many events. That is, E is countable, where 
a finite set is considered countable. 

The first law was stated by Hewitt and Baker^^ and the second is provable in the system of "Laws for 
communicating parallel processes". 

When the strong axiom is assumed, the intuition that events are only finitely removed from the 
beginning of computation comes back out as the 

Law of Finite Predccession (LFP). For all events ei the set{e\e -^ ei} is finite. 

These three laws are in fact equivalent to the Strong Axiom of Realizability. It is thus a matter 
of choice whether to formalize actor event diagrams using the strong realizability axiom as has been 
done here or using these three ordering laws instead. 

Theorem L The strong Axiom of Realizability is equivalent to the conjunction of the Law of Strict 

Causality, the Law ofCountability, and the Law of Finite Predecession}^ 

Proof The realizability axiom is easily seen to imply all three (LSC, LC, and LFP). 

Let { eo, ei, 62, . . . } be die set of events. Define a global time g inductively as follows. 

'^"l^ws for communicating parallel processes" and "Actors and continuous functionals". 

'^By assuming the existence of a single initial event tiiat precedes all other events, and that no event can activate 
infinitely many events, Hewitt and Baker were able to prove that the Law of FJiscrctcness (given in the next section) 
implied a statement equivalent to the strong Axiom of Realizability. Under their assumptions the law of Countability 
and Uie law of Finite I'redccession also hold, so they had a greatly weakened version of the "if part of this theorem. 
See §2.1 of "Laws for communicating parallel processes". 
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Letgf(eo) = 1. 

Suppose that g has been defined on { eo, . . • , e.-i } in such a way that it preserves the com- 
bined ordering -^ on the events on which it is defined. That is, g[ei) < g{e,) whenever a -> ey for 
i, j < n. The strategy for defining g(e„) will be to place it as far to the right as possible. Precisely, if 
there exists a j < n such Uiat e^ -^ e-,-, then let k be such that 

g{ek) = min{ g{ej) \ e^ -> ej, i < n }. 

Define . 

g[en) = \Uek) -h max({ g{ej) \ g{ej) < g{ek), j<n}[j{0 })j 

so that g{e,) is the first point on the right of g(ej. The claim is Uiat g is now defined on 
{ eo, . . . , e„_i, en } in such a way as to preserve the combined ordering. If not, then, by the induction 
hypothesis and the fact that p(e J < p(e,) whenever e„ -> e,-, j < n, there must be some par- 
ticular i < n such that e, -> e„ but g(ej < g[e,). This implies also that p(efc) < g(e,). Now 
since en -^ ejt, tlie transitivity of the combined ordering gives e,- -> e^, which by LSC contradicts the 
fact that g preserves -> on { eo, . . . , e„_i }. Thus no such i can exist, and g has been extended to 
{ eo, . . . , en-i, en } while still preserving die combined ordering. 

Ifthereisnosuchi < nsuchdiatCn -> e,-, then just put g(en) out to the right of all other points 

defined so far, say 

g[en) = 1 -f max{ g{ej) \j<n}. 

As before, Uie combined ordering is preserved. 

By induction die combined ordering is preserved at all stages. Any non-preservation of that 
ordering in die whole function g would already have arisen at some finite stage, and so g is a one- 
to-one positive-valued fimction Uiat preserves the combined ordering. It only remains to be shown 
that its range has no limit points. This is equivalent to showing that the left-open unit intervals with 
integral endpoints, that is, intervals of die form (m, m + 1] for m a natural number, each contain 

only finitely many points of the range. 

If (^^ m + 1] contains any range points at all, then by die way g is defined m + 1 =- g{en) 
for some n, and die interval (m, m -f- 1] contains none of the points g{eo], ..., g(en-i). That is, die 
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Figure 4. Irreflexive activation and arrival orderings do not imply an irreflexive combined ordering. 

interval was empty when p(e,J was defined. Now it happens that the pre-images of all range points 
placed in Uiat interval after g{€n) precede Cn in the combined ordering. Whenever g{e) is defined to 
be a non-integer, e precedes Uie pre-image of the range point immediately to its right at the time of its 
definition. Thus the pre-image of the first range point placed in (m, m + 1] after g{en) precedes e„ 
in tlie combined ordering. The second does also, by transitivity of -> if needed, and so on for all the 
range points placed in the interval. Hence if g takes infinitely many values in the interval (m, m -f- 1] 
then there must be infinitely many events that precede e„ in the combined ordering. This contradicts 
the Law of Finite Predecession. | 

The proof just given reveals that if e, e' G E are not related by the combined ordering, then there 
exists a global time g such tliat g(e)<g (e'). 

The Law of Finite Predecession has two immediate corollaries concerning the primitive, local 
orderings, but taken together tliey remain weaker than LFP itself. 

Law of Finite Predecession in the Activation Ordering. For all events ei the set 

J 
{ e I e — ad— > t\ } 

isjinite. 

Law of Finite Predecession in an Arrival Ordering. For all events ei and actors a the set 

{ e I e —arva-* t\ } 

is finite. (Of course the set is empty ifT{ei) 7^ a.) 
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Figure 5. An infinite backward chain in the combined ordering. 

Theorem 2. The strong Axiom of Realizabilily is stronger than 

L The conjunction of all the laws in this section and the next except for the Law of Strict 

Causality. 

2. The conjunction of all the laws in this section and the next except for the Law ofCountability. 
i. The conjunction of all the laws in this section and the next except for the Law of Finite 
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Predecession 

Proof. It suffices to consider the five laws stated above, except that for part 3 the Law of 
Discreteness (or its equivalent) from die next section must be considered because it is a corollary of 
die law being excluded. 

Part 1 is shown by Figure 4. Without die Law of Countability, there may be uncountably many 
external events, whence part 2. Part 3 is shown by Figure 5, which illustrates an infinite backward 
chain in die combined ordering having die order type of the negative integers and consisting of alter- 
nating arrival and activation ordering links, where each arrival ordering link is taken from a different 
arrival ordering. | 

The independence results of Theorem 2 already provide abundant evidence diat local laws can- 
not replace global dme in die actor model. To paraphrase die dieorem, irreflexivity of die activation 
and arrival orderings docs not imply irreflexivity of die global combined ordering, die local laws do 
not insure global countability, and finite predecession in the activation and arrival orderings does not 
imply finite predecession for die combined ordering. Indeed, local discreteness does not imply global 
discreteness, but that fact will not be stated precisely undl die end of die next section and then an 
enure section will be devoted to its proof.^^ 

Independence results similar to Theorem 2 continue to hold even in die presence of ordering 
laws stronger dian diose presented in diis section. The axiom dien becomes merely independent of 
rather dian stronger dian die conjunctions of ordering laws, of course. In particular, modulo die 
replacement of "stronger dian" by "independent of, parts 1 and 3 of Theorem 2 remain true in die 
presence of additional ordering laws forbidding more than one external event and forbidding events 
diat activate infinitely many events. 

On the other hand, in the presence of die Law of Discreteness from the next section, the exist- 
ence of an initial event preceding all other events in die combined ordering implies the Law of Finite 
Predecession. Thus adding a law postulating such an initial event would require modifying assertion 

^■^In §2.4.10 of "Actor systems for real-time computation", Ilcni7 IJakcr gave an example showing that discreteness 
of two trees docs not imply discreteness of the transitive closure of their union. 'Ihe counterexample to be presented 
in §7 of this chapter improves upon his result by taking into account Uie special nature of the activation and arrival 
orderings. 
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3 of Theorem 2 so as to exclude the Law of Discreteness and its equivalent, the Law of Finite Chains 
Between Events in the Combined Ordering, as well as the Law of Finite Predecession. 

An independence result tliat strengthens part 3 of Theorem 2 by allowing locality laws and these 
additional ordering laws is presented foimaHy in §7. 

IL6. The Weak Axiom of Realizability 

Now suppose that tlie strong Axiom of Realizability is replaced by the Weak Axiom of Realiza- 
bility, so computations are allowed to be infinite in past time as well as in hiture time. This may seem 
a strange possibility to consider. Its practical motivation is tlie fact thai some programs are pure in the 
sense that they never change, and properties of such programs may be proved using only the weak 
axiom.^^ Properties whose proof requires the strong axiom depend upon what has happened in the 
past, and are usually proved by induction from some initial state. Hence tliere is a real and useful 
distinction between properties that require only the weak axiom and tliose that require the hill power 
oflhe strong axiom. 

The Law of Strict Causality and the Law of Countability remain true under tlie weak axiom, but 
the Law of Finite Predecession is replaced by the 

Law of Discreteness (LD).'^ For all events ei and 62 , the set 

{ e I ei — > e -+ 62 } 

isfinite. 

This law is equivalent to the 

Law of Finite Chains Between Events in the Combined Ordering. There are no infinite chains of 

events between two events in the combined ordering-^. 
^^A simple example of such a proof is found in §8. 

J^lTiis was called the Uw of Finitely Many Events between two events in the Combined Ordering in a revised version 
of Carl Hewitt and Henry Raker, '"Actors and continuous functionais". Mil' l.CS Technical Report 194, December 1977. 
It appeared first in Hewitt and Baker, "Laws for communicating parallel processes", August 1977, but m that paper it 
was equivalent to the Law of I'inilc Predecession due to Uieir assumption of an initial event 

20a chain is just a linearly ordered set. 
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Theorem 1. Assume the Law of Strict Causality. Then the Law of Discreteness is equivalent to the 
Law of Finite Chains Between Events in the Combined Ordering?^ 

Proof The only if direction is trivial. 

To prove the converse, assume there are no infinite chains between events in the combined 
ordering. Then by the totahty of arrival orderings, an event has either no predecessors in the arrival 
ordering of its target, or it has a unique immediate predecessor. Similarly, an event is either external 
or has a unique immediate predecessor in the activation ordering, namely its activator. Therefore no 
event has more tlian two immediate predecessors in the combined ordering. 

Now suppose that for some Ei and £"2 the set { e | Ei -^ e -^ E2 } is infinite. We will inductively 
construct an infinite chain, contrary to hypothesis. Let eo — E2. 

We have a sequence eo, • • • > ^n such that 

El -^ Cn-^ Cn—l -+ • • • — ^ eo — ^ 

and {e I El -+ e -> e,J is infinite. If e„ is not an external event, letE be its activator, and if e^ is 
not the first event in the arrival ordering for T(e„) letE' be the unique immediate predecessor of Cn in 
that arrival ordering. If €„ is not external and { e | Ei -> e -> E } is infinite, tlien define Cn+i = E. 
Otherwise E' exists and { e | Ei -^ e -+ E' } is infinite, so define e^+i = E'. | 

This proof is essentially the proof of Konig's Lemma for ordered trees, and does not assume an axiom 
of choice.2^ Thus the two laws may be interchanged freely. Usually the Law of Finite Chains in the 
Combined Ordering will be easier to prove, and the Law of Discreteness will seem stronger in use. 

The Law of Discreteness also implies the existence of global time ftmctions.^^ 

^^ITnis is a shaniciicd siatenient of a fact observed by Hewitt and Baker in the revised version of "Actors and continuous 
functionals"'. Since in their paper events could only activate finitely many events, Konig's Umnia could be used in cither 
direction. No proof appears in that paper, but the proof given by Baker in "Actor systems for real-time computation", 
Mir irS Technical Report 197, March 1978, fails without tlie assumption of finite activation. Incidentally, the footnote 
in 'iaws for communicating parallel processes" iliat says that discreteness is the stronger condition must refer to general 
orderings. 

■^2 Raymond Smullyan, First Order Logic, Springer- Verlag, New York, 1968. Baker's proof used Konig's Lx-mma for 
unordered trees and thus assumed an axiom of choice. 

^■■^'niis was observed by Hewitt and Baker in "I^tws for communicating parallel processes", but their statement assumes 
also the existence of an initial event, so for them the liiw of Discreteness was equivalent to the Law of Finite Predecession. 
Ihey also assumed no event could activate infinitely many events. 
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Theorem 2. The Weak Axiom of Realizabilily is equivalent to the conjunction of the Law of Strict 
Causality, the Law ofCountability, and the Law of Discreteness. 
Proof The weak axiom clearly implies LSC, 1.C, and LD. 
Let eo, ei, 62, . . . be tlie events. Define a global time g inductively as follows. 

Define g(eo) = 0. 

The induction hypothesis for n, IH[n), is the following: g(eo), . . . , g[en-\) have been defined 

so that 

1. g is one-to-one. 

2. g is integer valued. 

3. the combined ordering is preserved. 

4. g is already defined on all e^ lying between any two of eo, . . . , e„__i in the combined 
ordering. That is, 

Vi, i, /c < ?;, J < n — 1 A Ci -^ Cfc -^ Cj => < fc < n — 1. 

Clearly the fourth part of the induction hypothesis will be impossible to arrange without periodically 
re-ordering the e/s, and we must be careful in that re-ordering not to upset the main induction. 

Assume IH(n). There are two cases, depending on whether or not e^ is related by -> to any of 
eo, . . . , Cn-i. In tlie simple case, when Cn is not related, define 

g[en) = 1 -f niax{ g(e,) | < i < n - 1 }. 

Clearly 1, 2, and 3 of ///(n) hold. Also 4 holds because -^ is transitive and Cn is unrelated to 

eo, . . . ,e„_i. 

Now the hard case, where Cn is related to at least one of eo, . . . , Cn-i. By 4 of ///(n), either 
en precedes all those it is related to, or it follows all those it is related to. Let us say e,, follows all 
of eo, . . . , en-i that it is related to, since die other possibility is handled in exactly the same feshion. 
(That is, with arrows reversed, 1 + max{ g{ei) | < i < n - 1 } replaced by min{ g[ei) \ < 
i < n — 1 } -- 1, et cetera.) 
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If tliere docs not exist a e/, such that k> n and, for some i, < i < n — 1, Cf -+ Cfc -^ Cn 
is true, then define g(en) = 1 + max{ gici) | < i < n - 1 }. IH{n + 1) then clearly holds. 
Otherwise we must re-order { e^ | i > n }, 

Let 

n— 1 

{ekv>^kn.}= [j{ek\k>n ande,- -^ Cfc -^ 6^}. 

The finiteness of this set is guaranteed by LD. We may assume ki < k^ < ■ • • < km- We re-order 
the set { e,- I n < i < hn } by pulling ek„ . . . , ej,^, e„ out of it and placing them in front, so Uiat the 
new order looks like 

and relabel as 

What has been accomplished by this re-ordering? First of all, nothing has been ruined by it. 
g is still defined in the same way on the same events, and IH{n) still holds. Some points are now 
farther back— at most m events farther back— in the new ordering, but if g were to be defined on 
ek„ .... ek^ and e^ (newly relabelled <, . . . , <+,„_i, e'„^ J without any further relabelling of the 
ef-,i > n-\-m, tlien every event e'- would be at least one event closer to being defined than in the 
original labelling. And in fact it is possible to define g on e'^, ..., e'^^rn-K ^n-^m while maintaining 
the induction hypotliesis and without disturbing e'j,i>n-\-m. 

Proof of claim: IH{n) still holds, so try again to define g on the n^ event, but this time use 
the new ordering, ie define g{e'J. Relabelling may again be necessary, but no e'^ with i > n~\~m 
will be relabelled. That is because Cj -> <■ -+ < for some j,0 < j < n— i would imply 
ej -> < -> en (since < -+ e^), contradicting < ^ { e^^, . . . , e^..^ }. In fact, several relabcllings may be 
necessary before g becomes defined on an n* event, but these relabcllings can only afi'ect the order of 
e' . y , , . Each relabelling changes the labels on a smaller initial segment of { e^j | i > n }, 
and so finally < becomes such diat no e'-, i > n lies between it and any of eo, . . . , Cn-i in the 
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combined ordering. At tliat point g becomes defined on its n^ event. Furthemiore g will be defined 
on all of <, . . ., <,+^_i, 4+.. before it is necessary to disturb the labelling above n + m, by the 
same reductio ad absurdum as above. Thus the claim. 

For each event e,, therefore, giei) is eventually defined, g is a one-to-one integer valued amction 
that preserves -^, since any non-preservation would show up at a finite stage contrary to the induc- 
tion. Hence the Weak Axiom of Realizability is satisfied. I 

l^he Law of Discreteness has two immediate consequences for the primitive orderings. 

Law of Discreteness in the Activation Ordering. IfC is a chain of events in the activation ordering 
from ei to t% then C is finite. 

Law of Discreteness in an Arrival Ordering. For all events ei and €2 such that T[e{) = T(e2) = 
o, { e I ei —arra-^ e -—arra-* ti } is finite. 

The first two parts of the following independence Uieorem are essentially the same as Theorem 2 
of§5. 

Theorem 3. The Weak Axiom of Realizability is stronger than the conjunction of 

1. All the laws in this and the previous section except for the Law of Strict Causality. 

2. All the laws in this and the previous section except for the Law ofCountability. 

3. All the laws in this and the previous section except for the Law of Discreteness, the Law of Finite 
Chains Between Events in the Combined Ordering, and the Law of Finite Predecession. 

The tliird part of this tlieorem is less obvious, and its proof will be deferred to the next section. It 
amounts to asserting that tlie Law of Finite Chains Between Events in die Combined Ordering is 
independent of die corresponding laws on the activation and arrival orderings. In other words, local 
discreteness does not imply global discreteness. Hewitt and Baker conjectured tliat adding additional 
local laws, which they called locality laws, sufficed to derive the Law of Finite Chains Between Events 
in die Combined Ordering from die corresponding local laws.^^ The next section is devoted to a 

counterexample. 

^■^''Actors and Continuous Functionals". 
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Figure 6. A counterexample to a conjecture by Hewitt and Baker. 



11.7. A Strong Independence Result 

Figure 6 shows that finite predecession in the activation and arrival orderings does not imply 
discreteness in the combined ordering. Between any two events in tlie figure there exists a directed 
finite path in the combined ordering. In particular, Ei -* ei for all i, so there are infinitely many 
events between £b and ei . In fact, all the events of the figure fall into the infinite chain 
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Co — ^ 62 — > e'l — V ei. 



Eo -y El -* E2 -^ E3 -* E4-^ >e 

This proves part 3 of Tlieorcm 3 of the last section. 

Consider the finite "top sections" obtained by restricting tlie diagram in Figure 6 to the events 

{E^ I i < n}[j{ei I i < n}U{<- I* < ^} 
for integers n. While the figure as a whole fails to satisfy the Weak Axiom of Realizability, each top 
section satisfies die strong Axiom of Realizability and is Uius a valid actor event diagram. Not only 
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are the top sections fornially acceptable, but they are physically possible as well. Even supposing that 
the message of ei is sent before the message of 62 (which is not implied by the fact that their activators 
occur in that order), it is entirely possible for event e^ to occur before e,. That is because messages 
being sent over computer networks are subject to variable delays from varying route choices and 
processor loads. While the larger top sections are not very probable, they are still possible. The entire 
figure is quite impossible, however, instead of being possible with probability zero as extrapolation 

would suggest. 

Figure 6 is the basis for a counterexample to the conjecture that discreteness follows from dis- 
creteness in the activation and arrival orderings together with the locality laws discussed in Chapter 
IV.2^ All that needs to be shown is that acquaintances and creation events can be assigned so that the 
locality laws are fulfilled. Logically that should await the definition of the locality laws in terms of the 
structure (E, A, T, -ad-^, Arr> and new objects acq, Ao, and creation. Illogically it appears here as 
the proof of a theorem asserting independence of the ordering laws from the locality laws. 

Theorem 1. There exists a structure 

(E, A, T, —act-^, Arr, acq, Aq, creation) 

of which the Law of Finite Chains in the Combined Ordering is not true, but for which all of the 

following hold 

1. E is the set of events. 

2. A is the set of actors. 

3. T is the target function:^ ~+ A. 

4. -act-^ is the activation ordering, an irreflexive partial order on E such that no event has more 
than one immediate predecessor. 

5. Arr is the set of arrival orderings, a set of irreflexive linear orders —arra--^ on T-^{a), for 

aG A. 

6. acq is the acquaintance function:E -> finite-subscts(A). 

7. Ao is the set of primeval actors. 

2^'Hcwilt and Baker, "Actors and continuous fiuictionals". 
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8. creation is the creation June tio'n:[\ — Aq) -+ E. 

9. The Law of Strict Causality. 

10. TheLawofCountability. 

11. The Law of Finite Predecession in the Activation Ordering. 

12. The Law of Finite Predecession in an Arrival Ordering. 

13. All the locality laws in Chapter IV. 

14. There is only one primeval actor. That is, Aq is a singleton. 

15. No event is the creation event for infinitely many actors. That is, Ve G E { a 6 A | 
creation{a) = e} isfinite.'^^ 

16. No actor ever has more than two acquaintances. That is, Ve G E acq{e) contains at most two 



actors.^'^ 



17. There is an initial event preceding all other events in the activation ordering?^ 

18. No event activates infinitely many events.'^^ 
Proof The events are, as in Figure 6, 

E = {E,\i>0}\J{ei\i>i}[j{e',\i>i}. 

Of course tliis is just a set of names. Let 

k = {ai\i>0} 

be the set of actors, also a set of names. The target function is defined by 

T{Ei) - oo, i > 0; 
T{ei) =•■ ai, i > 1; 

T(<) = «i» ^ > 1- 

^^ITiis was a law in "Actors and continuous functionals". 

2^Bakei, "Actor systems for real-time compulation", required that Uie number of acquaintances of an actor be bounded. 

2^'rhis was postulated for simplicity in Hewitt and Baker, "Laws for communicating parallel processes". 

^^This was a law in "Actors and continuous functionals". 



44 



The activation ordering is defined by 

Ei -ad-^ Ej, < i < i; 
Ei —act-* ej, 0<i< j, j > 1; 
Ei -act-* e'j, < i < i + l,i > i; 
6^4-1 —act--^ ef., i > 1. 

The arrival orderings —arva,-^, Oi G A, are defined by 

Ei —arrao-* Ej, 0<i<j] 
e'i —arvai-* ei, i>l. 

The acquaintance function is defined by 

acq(EQ) = { oo }; 

acq{Ei) = { ao, ai }, i > 1; 

acq{ei) = 0, i > 1; 

acq[^,) = 0, i > 1. 

The only primeval actor is ao, so Ao = { oo }. The other actors are created in the course of computa- 
tion, and their creation events are defined by 

creation{ai) = Ei—\, i > 1- 

The structure so defined confirms the claims of Ae theorem. | 

Describing this pseudo-computation informally, there is only one actor oo that exists at the 
beginning. The initial event £b tells it to begin. It then creates a, and sends a message to itself. When 
that message arrives in event Eu it creates a-i, sends a message to a2 telling it about ai, forgets about 
ai, and sends another message to itself. When t^iat message arrives in event £2, it creates a-i, sends 
a message to a^ telling it about a2, forgets about a;, and sends another message to itself. In general, 
when a message from itself arrives in an event Ei, actor a<, creates a^+i, sends a message to a^+i 
telling a,+i about a,, forgets about a,, and sends anotiier message to itself. It does this forever, so the 
computation cannot terminate. 

Each created actor a,-, i > 1, upon receiving a message naming an actor, sends a message to Uiat 

actor. The content of die message is irrelevant. 

Figure 7 defines these actor behaviors using a toy programming language. 
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(master = acq initially [ ] 
inside 
accept C ] 

(create ((slave * accept [ x ] 
if actorp(x) 

then send "ignore" to x 
else dummy)) 
(if equal [ acq [ ] ] 
then dummy 

else send acq to slave) ; 
change acq to slave) ; 
send [ ] to master) 



Figure 7. A program to Ulustrate the counterexample. 

It is possible for oo's message to ai to be slow, so that event Ei occurs, a2 is created and receives 
the message about au and the message from a2 arrives at ai, all before ao's message arrives at a,. In 
that way e'j can precede ei in the arrival ordering of ai. This scenario can occur at any number of 
actors, even infinitely many. Figure 7 shows it occurring at all actors, however, and tliat cannot be. 

Figure 7 can be seen to be impossible only when it is considered as a whole. This shows the 
"globalness" of the phenomenon, and that a truly global law, such as the Law of Discreteness, must be 
devised to take care of it. 

Upon learning of this counterexample, Professor Hewitt set the problem of finding a coun- 
terexample as an exercise for MIT subject 6.835. Valdis Berzins solved the exercise, finding a 
different, symmetric counterexample.^^ 

11.8. Modifying a Proof 

One of the purposes of Uiis chapter has been to relax unnecessary restrictions on the actor event 
diagrams. As noted at the end of §3, there is good reason to allow an event to activate infinitely many 
events. This was not allowed by Hewitt and Baker, pardy because they wished to assume finite activa- 
tion in proofs, and partly for reasons mentioned at die end of §4. Having removed the assumption 

30Valdis Berzins, "An independence result for aclor laws", MFF LCS Computation Structures Group Note 34, December 
1977. 
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of finite activation from Theorem 1 of §6. it is now time to remove that assumption from the main 
theorem of "Actors and continuous functionals". 

Considerable notation and some definitions from that paper will be needed before proving the 
lemma that depended upon finite activation. 

Messages must be represented in some language, and have some kind of structure. For the 
purposes of tliis proof there are two sorts of messages, corresponding to two kinds of events. A request 

event is an event of the form 

[/ *- request:a:, reply-to:c] 

which represents passing an argument x to the actor /, with instruction to send any result to a 
continuation actor c. A reply event is an event of the form 

[c +- reply :yl 

which represents the arrival of a result y at tlie continuation actor c. By convention, replies are 
responses to previous request events. 

Definition. If an event e^ is of the form 

[... i- request:..., reply-to:c], 

62 is of the form 

[c<- reply:...], 

ei -act-^ 62, and for no event e of the same form as 62 is e^ -ad-^ e -act-^ 62 true, then e^ is said 
to be a reply to e\, 

A request event may have no replies, one reply, nineteen replies, or infinitely many replies. For a 
request event whose target is an actor that behaves as a procedure, however, there is at most one reply, 

by definition.^ ^ 

For an event elet/2(e) = {e}U{e' | e -> e'} andL(e) = {e}\}{e! \ ^ -^ e}. 
^^See "Actors and continuous functionals". 
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[delay +- request: 0, reply-to: c] 
e' ik^ [delay ^ request: 1. reply-to: d] 
[c ^ reply: 0] 
[d ^ reply: 1] 




e — cont-~* ^ 

e' — cont—^ ef' 

1 e — cont--* ef' 



Figure 8. The continuation ordering may not be transitive. 

Definition. Ife is a request event then the activity corresponding to e is 

R{e) f|(|J{ L{e') \ e' is a reply to e }). 

Perhaps not all events in the activity corresponding to e actually contribute to answering the 
request e, but certainly all events that do contribute are in the activity. An activity may not be finite, 
because a request can have infinitely many replies. If a request has only finitely many replies, though, 
as is the case if its target is a procedure, then its activity is guaranteed to be finite by the Law of 
Discreteness. 

Definition. Ife and e' are events, e -^ e', and there is some activity a such that e,e' Ea, then we 
saye —cont-^ e!. 

Although -cont-^ is called the continuation ordering, it is not in general a tmc ordering because 
it may not be transitive. In Figure 8, e -cont-^ e' and e' -cont-^ c", but e -cont-^ e" is not 
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true. The continuation ordering is transitive when restricted to activities corresponding to requests of 
a procedure, though, because by definition the activites of a procedure are properly nested. Note that 
—cont-^ is a subrelation of the combined ordering -+. 

An actor that is a procedure and initiates the same activity, in the sense of the same messages 
with the same targets and the same relationships between events, whenever it is sent the same request 
is said to behave like a function. 

The definition of an immediate /-descendant in the first version of "Actors and continuous func- 

33 

tionals"32 contained a small but subtie error that was partially corrected in subsequent versions. 
The idea is tliat the immediate f-descendants of {x,y) G graph(/) are tiiosc {x',y') G graph(/) 
that must be known in order to compute fix) without recursing. As is often the case, the proof is 
correct because it depends on what the definition is supposed to be, not its formal specification. The 
definition below is supposed to be what tiie definition was supposed to be. 

Definition. Suppose an actor f behaves like a mathematical function, {x,y) G graph(/), and 
{x', y') e graph(/). Then {x', y') will be said to be an immediate f-descendant of{x, y) if there is some 
history off that has events ei and 62 of the form 

ei:[/^- request: a:, reply-to:. . .] 

e2:(/^ request :a;', reply-to:...] 
such that 62 belongs to the activity initiated by ei (so that ei -cont-^ e^d and it is not the case that 
there is an event e of the form 

e:[/^ request:..., reply-to:...] 

such thatei —cont-^ e —cant-* 62. 

Definition. Suppose that {x, y) G graph(/). Then 

immediate-desccndants/((a:, y)) = { {x', y') \ {x', y') is an immediate f-descendant of{x, y) }. 

32IF1P Working Conference on Formal Description of Programming Concepts, August 1977, 16.1-16.21. 
'^■^MIT LCS Technical Report 194, December 1977. 
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As an example, Hewitt and Baker give the following procedure. 

fib(n) = 

if n=l then 1 

if n=2 then 1 

if n>2 then f ib(n-l)+f ib(n-2) . 

immediate-descendantSf -j|3((l, 1)) == 
immediate-descendantSf -ii3((2, 1)) = 
immediate-descendantSf -j ^((S, 2)) = { (1, 1), (2, 1) } 
immediatc-descendantSf ^ ^j((5, 5)) = { (3, 2), (4, 3) } 

Now the only real use Hewitt and Baker make of tlie assumption of finite activation is in proving 
the following lemma. 

Lemma 1. If an actor f behaves like a mathematical function and {x, y) E graph(/), then 
immediate-descendants/((x, y)) is finite. 

Proof. Let ei be a request for the procedure / to compute the value f{x). That is, ei is of the form 

^I'lf *— request : a;, reply-to :. . .]. 

By the way Hewitt and Baker define "function" there can be at most one reply to this request. There 
is a reply, since {x, y) G graph(/), so call it 62. Since ei has a unique reply, Uie activity initiated 
by ei is just { ei, 62 } U{ ^ I ^1 ~^ ^ "~* ^2 }• This set is finite by the Law of Discreteness, and so 
immediate-descendants/((a:, y)) is finite by the definition. | 

The lemma thus remains tme without the assumption of finite activation. As this lemma is tlie 
only place in its proof where Hewitt and Baker use finite activation, the tlieorem to be stated below no 
longer depends upon that hypothesis. 

Definition. IfG isaset of input-output pairs, then 

Df(G) = { (2:, y) I {x, xj) G graph(/) and immediate-descendants/((a:, y))C.G}. 
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Theorem 2. (Hewitt and Baker.)' If an actor f behaves like a mathematical function, then Df is 
a continuous functional in the sense of Scott, andgraph{f) is the limit ofDf beginning with the empty 
graph. Also graph(/) is the minimal fixed point of Df. 



51 



Chapter III 



Nondeterminism 



Is the universe deterministic? Regardless of the answer, there exist systems so complex that their 
unique future behavior cannot exactly be predicted in any practical sense. In practice such systems are 
considered nondeterministic. 

This chapter deals with die semantics of nondeterministic programming languages. The usual 
way of representing nondeterminism in a denotational fixed point semantics is by means of power 
domains, so called by analogy with power sets. Extending the power domain constmction to apply 
to incomplete domains makes possible a power domain semantics for nondeteniiinistic programming 
languages in which a fair merge can be written. 

IM.1. Nondeterminism can be Viewed as Incomplete Specification 

Abstraction is essential to understanding complex systems. One difference between good and 
bad programmers is that good programmers think in terms of the function performed by a program 
segment whereas bad programmers are likely to tliink of the program segment as a sequence of steps. 
Programming language semantics seeks to provide abstract descriptions of program segments. 
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As part of the abstraction process, details are suppressed. One detail universally suppressed 
by programming language semantics is the amount of time required to do a particular thing, since 
it varies from implementation to implementation or even from moment to moment. As a result 
programming language semantics cannot always say exactly what the output of a program with con- 
currency will be, because the output may depend upon timing. Abstraction can therefore lead to 
nondeterminism. 

Nondeterminism can result from any incomplete specification of a programming language, 
whether deliberate as in the case of abstraction or accidental as in the case of oversight. Though the 
nondeterministic program given below is written in APL, it uses no special features of that language. 
Almost any popular programming language would have served. APL was chosen partly because it is 
simple, concise, and well-known, but the main reason is that an ambiguity in APT.'s order of evalua- 
tion went unrecognized for many years, the ambiguity created significant nondeterminism, and the 
ambiguity was of the sort that can be exploited dirough concurrency. 

Consider die program FOO defined by 

V RESULT <- FOO X 
[1] GLOBAL i- 
[2] RESULT ^ (F X) + (G X) 

V 

which, given an argument X, sets the global* variable GLOBAL to and dien returns as its result die 
sum of F X and G X, where F and G are user defined "function" subprograms. If F and G do any 
significant computation at all, then die dme required to execute FOO on a sequential machine is die 
sum of the execution dmcs for F and G. For example, if F and G each take one minute to return dieir 
answers, dien executing FOO takes two minutes. With the advent of multiprocessors capable of per- 
forming several independent computations concurrcndy, it has become feasible to consider evaluating 
F and G at die same time on separate processors, so diat executing FOO might take as little as half the 
dme required when only a single processor is used. 

This example suggests one of die speed gains possible dirough multiprocessing. The particular 

^In the sense that the memory loaition denoted by GLOBAL is accessible to subprograms invoked by FOO. ITie example 
is indifferent to the question of whether the memory location can be directly accessed by all hardware processors. 



5.3 



speedup illustrated is possible any time that two or more arguments to a ftmction each require 
significant time to evaluate. Devotees of largely fonctional languages such as Lisp and APL perceive 
this to be of profound importance for the design of languages intended for execution on multiproces- 



sors.^ 



Nondeterminism often accompanies this and many other techniques for concurrency. That is, 
die outcome of a program may no longer be completely determined. Nondeterminism may or may 
not affect the usefijlness or correctness of a program. Consider, for example, a program that conducts 
a parallel search for a proof of or a counterexample to tlie Goldbach conjecture. It does not matter 
which particular proof or counterexample is first found. While some programs must be deterministic 
to be correct, nondeterminism has a role in artificial intelligence programs and programs such as 
operating systems that depend on inputs presented at unpredictable times. 

Even so simple a program as FOO can be nondetenninistic. Suppose the subprograms F and G 
invoked by FOO are defined as follows. 

V RESULT f- F X 
[1] RESULT i- GLOBAL 
[2] GLOBAL ^ 1 

V 

V RESULT f- G X 
[1] RESULT i-- GLOBAL 
[2] GLOBAL i- 1 

V 

Aside from Uieir names, these programs are identical. Each reads the global variable GLOBAL and, 
after setting GLOBAL to 1, returns the value read as its result. 

On a sequential machine, these definitions cause FOO to evaluate to 1 (regardless of the value of 
X). Here is what happens. First FOO sets GLOBAL to 0. Then, in line 2 of FOO, G is invoked with X 
as its argument."^ G reads the global variable GLOBAL, finds its value to be 0, sets GLOBAL to 1, and 
returns as its result Then F is invoked with argument X. F reads GLOBAL, finds its value to be 1, sets 

^See for example Friedman and Wise, "Aspects of applicative programming for parallel processing" JEEE Transactions 
on Computers C-27, 4, April 1978, pages 289-296. 

Since APL as now defined evaluates right-most arguments first. 
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GLOBAL to 1, and returns 1 as its result FOO then sums the results of F and G to obtain its result: 1. 
On an interactive APL teiminal: 



X f_ 297 (or other arbitrary value) 
FOO X 
1 



Were F X and G X to be evaluated in parallel on a multiprocessor, FOO X might sometimes 
return instead of 1. The reason is that F and G might both read the global variable GLOBAL before 
the second line of either subprogram had been executed to set GLOBAL to 1. Thus both F and G might 
return as their result. On an API. terminal: 

FOO X 


would be possible as well as 

FOO X 
1 

A given multiprocessor implementation might consistently return a particular one of these two 
possible results. Nonetheless tlie program must be regarded as nondcterministic, since die program 
itself does not determine a unique answer; only when the program is paired with an implementation 
can tlie result be detennincd. Indeed the result may not be determined even tlien, since tlie result may 
be affected by dynamically changing conditions within the multiprocessor. For example, the number 
of processors available to a computation can change in response to resource requests by concurrent 
computations. 

Thus parallel evaluation of arguments can lead to nondetemiinism because the order in which 
events occur in global time is left incompletely specified. Were the semantics of a program to deter- 
mine completely the order of events in global time, tlie program would be sequential; it is when 
the semantics least constrains the order of events that dierc exist the greatest opportunities for paral- 
lelism. Opportunities for parallelism tiierefore arise from a kind of semantic ambiguity regarding the 
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order of events in global time. Until recently, for example, the (informal) semantics of APL did not 
prescribe a definite order of evaluation of expressions, so that some APL implementations evaluated 

the expression 

X - (X ^ X - 1) 

from left to right and obtained 1, while other equally correct APL implementations evaluated from 
right to left and obtained 0.^ Had a multiprocessor implementation of APL existed, it could have 
evaluated the subexpressions X and (X ^ X - 1 ) in parallel, obtaining on some occasions and 1 
on others. This ambiguity in the semantics of APL has now been fixed by the adoption of a standard 
order of evaluation, but the remedy precludes the parallel evaluation of arguments that was allowed 
by die ambiguity of the old semantics. 

What if the programmer intends a program to be deterministic? Then the programmer, must 
arrange for the sequence-sensitive portions of the program to be executed in a definite order. FOO, for 
example, could be rewritten as 

V RESULT ^ F002 X; LOCALl; L0CAL2 
[1] GLOBAL *- 
[2] LOCALl f- F X 
[3] L0CAL2 +- G X 
[4] RESULT ^ LOCALl + L0CAL2 

V 

using local variables to hold the results of evaluadng F X and G X. F002 is deterministic even when 
amcdon arguments are evaluated in parallel. Remember that Uie possibility of evaluating arguments 
in parallel was not considered when die APL language was designed, and even so die only reason F 
and G cause problems when evaluated in parallel is that each assigns to a global variable referenced 
by die other. Most well-written subprograms have no such side effects. In a language designed 
specifically for concurrency, troublesome side effects could be expected to be even rarer. 

Not only is some incompleteness in specifying die order of events in global Umc desirable be- 
cause it allows concurrency, but it is necessary when concurrency is allowed. For a programming 

''Richard II Lalhwcll, "Some implications of APL ordcr-of-execulion rules". APL79, APL Quote Quad 9, 4-?art 1. June 
1979, pages 329-332. 
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language semantics to specify completely the order in which events are to occur during multiprocessor 
execution of a concurrent program is generally impossible, since it would entail fixing myriad details 
such as the number and relative speeds of concurrent processors, the exact times of and delays occa- 
sioned by page faults and other interrupts, tlie timing of signals between processors and the manner 
in which they are arbitrated, and so on, down to the levels of time resolution at which quantum 
indeterminacy becomes important. 

Except for two general requirements, the actor model specifies none of these timing details. The 
first requirement is that in keeping with the idea of actors as independent compuUitional agents each 
actor has tlie computing energy^ it needs to process messages sent to it. The second requirement is 
that every message eventually arrives at its target, a requirement known definite delay. These require- 
ments leave much unsaid about the order of events in an actor's arrival ordering. The nondeterminism 
that results will be called arrival nondeterminism. 

Arrival nondeterminism is similar to tlie notion of global nondeterminism introduced by Francez 
el al for the programming language CSP,^ but §8 points out an important difference. The local 
nondeterminism of CSP is a form of the choice nondeterminism discussed below. 

Choice nondeterminism arises from the presence of choice points within a program, where an 
implementation is allowed to choose the program's flow of control at random from among a finite 
set of alternatives. The implementation does not have to make the choice randomly, but it may. 
Dijkstra's guarded commands are examples of such choice points. Although choice points permit 
concurrency, they have tlie defect of permitting random choice as well. Choice points are of interest in 
this dissertation only because they are often used to model tlic nondeterminism that accompanies con- 
currency. Nondctcrministic concurrency difi^ers from random choice, but using choice points to model 
nondctcrministic concurrency reduces the problem of providing a semantics for nondctcrministic 
concurrent programs to tlie problem of generalizing the existing dieory of semantics for sequential 
programs to handle choice points. It is Uien important to remember that in Uiis context choice points 

^Computing energy is computing power integrated over time. If several actors share time on a single processor, for 
example, an actor's computing energy is the computing power of the processor multiplied by the lime that the actor 
actually uses the processor. 

^Nissim Francez, CAR Iloare, Daniel J Ixhmann, and Willem P de Roever, "Semantics of nondeterminism. concurrency, 
and communication", J Computer and System Sciences 19, 1979, pages 190-308. 
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are only an attempt to model concurrency. If theories of sequential programs with choice points turn 
out to produce different conclusions about concurrent programs than theories based directly upon 
true concurrency, then the idea that concurrency can be modelled by choice points must yield. That 
has turned out to be Uie case. Considering concurrency directly leads to regarding some programs as 
unboundedly nondetenninislic, but it can be shown that no sequential program with random choice 
points is unboundedly nondeterministic. 

Unbounded (infinite) nondetcrminism is a property of programs that on some fixed input are 
certain to return an answer, but the set of possible answers is infinite. Unbounded nondetcrminism 
will be considered at some length in §7 and §8, but its present importance is tliat a plausible theory of 
semantics for concurrent computation must differ from a theory of semantics for sequential programs 
with choice points. 

The next three sections present the matliematical foundation underlying a theory of semantics 
for concurrent computation. 

III. 2. Fixed Point Semantics 

The denotational theory of programming language semantics is concerned with finding mathe- 
matical objects that represent what a program does. Examples of such objects are partial fiinctions, 
sequences of states, and actor event diagrams. Usually tliere is a partial ordering < on these objects 
with x<y meaning that x is compatible with but possibly less defined than y. In other words, x 
approximates y. If the objects are partial functions, for example, / < g may mean that / agrees with 
g on all values for which / is defined. If the objects are actor event diagrams, x <y means a: is a 
possible initial history^ of y. The object representing a program P is found by solving an equation of 
die form x = fp {x). This section suites conditions guaranteeing a solution to that equation. 

Let {D, <) be a partially ordered set, and let A he a subset of D. a G ^ is a minimal element of 
A \ffA contains no elements below a. That is, 

"ixEA x <a =^ x = a. 
^See §IV.3. 
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aEA'isa least element of A iff a lies below every other element of A. That is, 

\fx EA a<x. 

Maximal and greatest elements are defined dually. 

An upper bound fovAQD is an element uGD such that 

Vx G /4 X <u. 

A least upper bound for /I C D is an upper bound that is least in the set of upper bounds for A in 
D. (Least upper bounds are sometimes called limits, because they are a special case of colimits in 
category dieory; there is also a To topology on D in which the least upper bound of an increasing 
sequence is a limit of the sequence in the topological sense.) In general, a set may not have upper 
bounds, and a set may have upper bounds but no least upper bound. Examples are the rationals Q 
under the usual ordering, and the negative rationals as a subset ofD = Q — { }. If a set has a least 
upper bound, though, it has exactly one. The least upper bound of A C D will be written V:rGA ^ or 
V A, except tliat C and U will sometimes be used in place of < and V- 

A set/i C D is J/r^'c/ei/ iff every pair of elements of A has an upper bound in A. It dien follows 
that every finite subset of A has an upper bound in A. These upper bounds need not be least. For 
example, suppose D is the power set of the natural numbers w ordered by inclusion. Then the set of 
all finite subsets of u; is directed, as is the three element set consisting of { }, { 1 }, and a;. 

Lei {D, <> and (IX, <') be partially ordered sets. A ftmction f:D -> zy is monotonic iff it 
preserves order, so tliat Vx,y GD 

x<y => f{x)<'f{y). 

f is uj-continuous iff it is monotonic and preserves all existing least upper bounds of countable increas- 
ing sequences, so that if { xi } -^^ is a sequence in D with xi < xi^i for alH G w tlien 
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(Equivalently, / is w-continuous if it preserves least upper bounds of countable directed sets.) Note 
that this definition does not presume that all countable increasing sequences have least upper bounds, 
but states only that / preserves tliose least upper bounds that exist. 

{D, <) is u)-complele iff every countable increasing sequence (equivalently every countable 
directed set) has a least upper bound in D. That is, if for all i E uj Xi G D and Xi < Xi^i, then 
Vieu; 2:, exists. 

Now suppose {D, <) has a least element _L and is w-complete. Then every w-continuous 
function f:D -> D has a fixed point given by VfGu;/'(J-)' ^^^ furthermore this fixed point is least 
among all fixed points of/. 

This is tlie most basic fact of fixed point semantics. Typically D is a set of possible meanings 
for programs, such as a set of partial functions from inputs to outputs, ordered according to some 
approximation ordering. The semantics of a programming language defines for each program P a 
continuous function fp:D -> D. ^fhe program P is tlien said to denote tlie least fixed point of its 
associated continuous function fp. The domain D must be w-complete to ensure that the least fixed 
point exists. 

For more information on fixed point semantics, readers should consult the tutorial article by 
Tennent,^ tlie textbook by Stoy,^ or the comprehensive volumes of Milne and Strachey.^" These 
references deal only with fixed point semantics on lattices, however, while we must consider more 
general partial orders. 



III. 3. Domains and Their Completions 

Usually there is an intuitive sense in which some elements of the partially ordered sets con- 
sidered by fixed point semantics are finite. They may be partial functions defined for only finitely 
^R D Tennent, "The dcnolational semantics of programming languages", CACM 19, 8, August 1976, pages 437-453. 



• Joseph! E Stoy, Denotational Semantics: The Scott- Sirachey Approach to Programming Language Semantics MIT Press 
Cambridge MA. 1977. 

^•^Robert Milne and Christopher Strachey, A Theory of Programming Language Semantics, Chapman and Hall Ix)ndon 
1976. 
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Figure 1. A partial order in which every element is isolated. 
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Figure 1 A partial order in which no element is isolated. 

many values, for example, or they may be finite partial computations. This sense of finiteness lies 
behind the following abstract definition. 

Let (D, <) be a partially ordered set. An element x E D is isolated iff whenever A <Z D is 
directed, V ^ exists, and x <\JA, there exists aEA with a: < a. In other words, x is isolated if one 
must go tlirough x in order to get up to or above x via the limit process. As examples, the finite sets 
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are the isolated elements of the power set of a; ordered by inclusion; the ordinal w -f- 1 is isolated in 
the set of countable ordinals under the usual ordering; in the partial order of Figure 1, every element 
is isolated, while in the partial order of Figure 2 no elements are isolated. 

The least element of a partially ordered set is always isolated provided it exists. is the least 
element of the nonnegative rationals under the usual ordering, and it is also the only isolated element. 
The entire set of rationals has no isolated elements under tlie usual ordering. 

For purposes of programming language semantics, partially ordered sets with least elements 
form too general a category. The partially ordered sets of greatest interest for computer science are 
those whose isolated elements are dense in the sense tliat every element is a least upper bound of a 
countable set of isolated elements. To avoid transfinite inductions, and to make directed completeness 
equivalent to w-completeness, it is convenient to assume also that there are only countably many 
isolated elements. 

Definition. A domain is a partially ordered set {D, <) such thai 

1. D has a least element JL. 

2. Every element ofD is the least upper bound of a countable increasing sequence of isolated 
elements. 

3. The isolated elements ofD are countable. 

This definition is nonstandard. The standard definition requires also that D be w-complete, so 
tiiat w-continuous functions from DioD will have fixed points. 

An w-complete domain is complete in the sense tliat every directed subset has a least upper 
bound. An a;-complete domain is also known as a countably algebraic complete partial order.^^ 

Every domain D can be embedded in an w-complete domain D thai is, in a precise sense, the 
smallest w-complete domain containing D. The isolated elements of D are precisely tlie isolated 
elements of D,^^ but in general D contains limit points that are not found in D. D is uniquely 
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M B Smyth, "Power domains", J Computer and System Sciences 16, 1978, pages 23-36. 



^^Ilence D dilTers from completions that^o not preserve least upper bounds, such as the basis completion (Markowsky 
and Rosen) and Bloom's a;-coniplelion. D is isomorphic to the basis completion of {x E: D \ x is isolated in D }. 
See G Markowsky and B K Rosen, "Bases for chain-complete posels", IBM J Research and Development 20, 2, March 
1976, pages 138-147, Stephen L Bloom, "Varieties of ordered algebras", J Computer and System Sciences 13, 2, October 
1976, pages 200-212, and Daniel Lehmann, "On tlie algebra of order", J Computer and System Sciences 21, 1, August 
1980, pages 1-23. 
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Figure 3. A domain and its w-completion. 

determined up to isomorphism, and is called the uj- completion, or simply the completion, of D. It 
will be shown that for any domain D the power domain of D is isomorphic to the power domain of 
its completion D. Then why not use cu-complete domains only, as is standard? Because the power 
domain is interpreted with reference to the domain from which it is built. As will be explained in §5, 
the underlying domain is incomplete in actor semantics. 

At this point readers may wish to read the definition of the closure operation ^ on the next page 
and then skip to §4. The remainder of this section shows how D may be constmcted, and proves the 
facts mentioned above. 

As an aid to understanding tlie concrete construction of D that follows, consider the domain 

({o,l,2,3,...}U{^}U{o''l^2^3^...},p 

where 



i ^ j 
i' C / 
i C j' 



if i < j 
ift <j 
ift <j 



63 



a; • 
t 



t 



4* 
3 
2 4 
1 







4 3' 



>* 2' 



0' 



Figure 4. An incomplete domain. 

This domain is pictured in Figure 3, along with its intuitive completion. Figure 4 shows why u) must 
be less tlian uj'. The domain in Figure 4 is incomplete because the increasing sequence { i }-^^ has u) 
and uj' as its upper bounds, but neither is least. 

Let (D, <) be a domain. 

Definition. r/?<? closure of A C D is 

A' = {deD\3XQD, X directed, d = \/X, and^x G X 3aeA x <a}. 

Lemma 1. If a, b E D are isolated and have an upper bound d, then they have an isolated upper 
bound c such that c <.d. 

Proof. Let {di}-^^ be an increasing sequence of isolated elements with View^i = ^• 
{di\i Euj} is directed, so there exist rfj and dj with a < di and b < dj. Let k — max{ i, j } and 
c = dk. I 

Lemma 2. IfY C D is directed, andx ==\JY, then there exists a directed set Z , consisting solely 
of isolated elements, such that 

x^\JZ 
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and 

"izeZlySY z<y. 

Proof. For y G i' let Zy be a directed set of isolated elements with y = \/ Zy, and let 

Z= [JZy. 

y(EY 

It is clear diat Z consists of isolated elements, and tliat Wz G Z 3y E Y z <. y. 

Leizi,Z2 E Z, and let yi, y2 GYhQ such that^i E Zy^ and>3i2 E Zy^. Let y3 G Y he an upper 
bound for yi and yz, and hence for Z[ and 2'2. By Lemma 1 there exists an isolated z ED such that 
Zi, Z2 <, z <. y^ = \J Zyj. Let zs E Zy^ be such that z Kz^.zs'is an upper bound for zi and Z2 in Z, 
so Z is directed. 

Clearly a: is an upper bound for Z. 

Let x' be an upper bound for Z. a:' is an upper bound for each Zy, soy = \/ Zy <. 3^. Thus a/ is 
an upper bound for Y, whence x = \/ Y <,x'. Therefore x is the least upper bound of Z. | 

Lemma 3. The map '^ is a closure operator on the power set ofD. 

Proof, if A C B, then /I" C B'. Also A C A"". 

To show {A^Y = ^^' ^^t a: E (/l^)'^. /l*^ is downward-closed. That is, if a E ^4*^ and x <. a then 
X E A^. Therefore there exists a directed set Y ^ A^ with x = SJ Y. Let Z be a directed set of 
isolated elements with x = \/ Z and Z Q.A'^. 

Let z E Z. Since z E A'^ there exists a directed set W such that >? = V ^ and Viy E 
W 3a E /i ly < a. Since >2r is isolated there is some w E W with z •< w. Hence there exists a E A 
such that 2 < a. 

Z is directed, x = \J Z, and "iz E Z 3a E A z <. a. Consequently x EA^. | 

Note that A'^ is downward-closed and is closed under existing least upper bounds in D of 
directed subsets. 
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Definition. Let {D, <) be a domain with least elemenl J_. 7/5 completion is {D, C), where 

D = {A'\±eAQD, A directed} 

andforaIlA,B GD 

A^B <=> AQB. 

This malcesD a partial order. Generally {D, C) is not a lattice. 

Lemma 4. If A E D andx, y GA are isolated, then x andy have an isolated upper bound z G A. 

Proof. Let Aq C. D hQ directed with A^ = A. Let x = \l X where X is directed and 
"^w G X 3a Ei Aq w < a. Since x is isolated, x G X. Thus there exists x' E Aq with x < x'. 
Similcirly there exists y' G Aq with y < y'. Letz' E ^o be an upper bound for xf and t/. Let-? be an 
isolated upper bound for x and y with z <,z'. z G A since 2/ E ^4 and /4 is downward-closed. | 

Lemma 5. LeM E D, and let Aq be the set of isolated elements of A. Aq is directed, andAQ = A. 
Proof Immediate from Lemma 4 and the fact that every element of J9 is a least upper bound of 
isolated elements. | 

Theorem 6. IfX C D is directed, then X has a least upper bound in D given by 

l\x = {[jxf. 

Proof It suffices to show that (U XY G D, which requires finding a directed y C D with 
Y'=={]JXY. 

For A G X, let Ya be the set of isolated elements of A. Each Ya is directed, and Y^ ~ A. 
Since X is directed in D, U/iex ^^^^ ^^ directed in D. Clearly IJ^g \[Ya^\JX,so 

(U Y^YQilJxy. 

Aex 

Let x G (U^)^ with x = \J Z' where Z' is directed and Z' C U^- By Lemma 2 there 
exists a directed set Z C (jX consisting solely of isolated elements such tliat x = SJ Z. Since 
Z^[J^^^Ya,xG(\Ja^xYaY. 

Therefore (U^ex ^aY = (U ^)^ and (U XY G D. I 



66 



Hence (D, C) is a complete partial order. 

D may be regarded as a subset of D via the continuous injection x given by a: h-^ ^ where 
x== {d ED\d <x}. From Lemma 5 it can be seen that 

A= 1} X 

xGA 
X isolated 

for any A E'D. The following theorem thus completes a proof that D is an w-complete domain with 
least element {_L}. 

Theorem 7. The isolated elements of D are precisely the images x of isolated elements x inD. 

Proof Let x be isolated in D, and let X C D be directed with 

ic = {y|y<a:}C|JX. 

By l^heorem 6 a: G (U ^Y^ so\eiYQ[jX be directed with x = yY.xis isolated, so a: G >^. Thus 
xGAfox some A EX. For thai A, xn,A. Therefore x is isolated in D. 

Conversely, let ^ G I> be isolated. Let { _L = 6o, 6i, 62, • • • } be the isolated elements of D. 
Define an increasing sequence { Xi }-^^ in D by 

xo = bo = ± 

__ (xi 6i4-i ^A\ 
'''+' ^ \bk bi^i G A, 

where k =-- /xn [6^+1 < 6n A a:^ < 6„ A 6„ G A]. The isolated elements of ^ are directed, 
and Xi E A,sok is defined whenever bi^i E A. For every isolated y E A tliere exists k such that 
y < Xfc. Since /i = ({ y G /^ | y isolated })', A = |J^Gc^ ^t- { ^i h' ^ w } is directed since { ar^ } is 
increasing. Therefore A = xi for some i. | 

That D is the unique com.pletion of D is guaranteed by a universal mapping property.^^ This 
universal property is hardly more than a paraphrase of a theorem on finitary categories by Smyth and 

Plotkin.i^ 

^^Saundcrs MacUne, Categories for the Working Mathematician, Springer- Vcrlag, New York, 1971. 

'%1 B Smyth and G D Plotkin, "1'hc calcgor>'-llieoretic solution of recursive domain equations", Proceedings 18 
Annual IHlil' Symposium on I'oundalions of Computer Science, J977, pages 13-17. 
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Theorem 8. IfE is an u)-compleie domain and f:D -^ E is to-continuous, then there exists a 
unique (jo-continuous map g-D -^ E making the diagram below commute. 




In other words, any continuous map / from D to £" factors uniquely through D: f =--■ gox. 
This means that any w-complete domain containing D also contains D, so that D is the smallest w- 
completion of D. Furthermore any a;-complete domain with this property is isomorphic to D via a 
unique isomorphism. 

III. 4. The Power Domain 

The idea of power domains is that a nondetcrministic function may be described as a determinis- 
tic set-valued function, where the set contains all values the nondetcrministic function can take for the 
given argument. Consider, for example, the program 



V RESULT ^- FOO X 
[1] GLOBAL ^ 

[2] RESULT ^ (F X) + (G X) 
V 

V RESULT ^ F X 
[1] RESULT <- GLOBAL 
[2] GLOBAL ir- 1 

V 

V RESULT ^ G X 
[1] RESULT 4-- GLOBAL 
[2] GLOBAL ^ 1 

V 
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_L 
Figure 5. N, the flat domain of natural numbers. 

defined in §1. When the subprograms F and G are evaluated in parallel on a multiprocessor, FOO can 
map its input to either or 1. This behavior can be described by 

2:i->{0,l}, 

and this is the best description of FOO's input-output behavior possible when arguments are evaluated 
in parallel. 

Since fixed point semantics works by generating a sequence of ever-better approximations to the 
meaning of a program, some ordering C must be placed on sets of values so that A ^ B means that 
B is at least as good an approximation as /I. The values will be drawn from some domain (D, <). 

One of the simplest domains is the flat domain of natural numbers (N, <), where N = 
{ _L, 0, 1, 2, 3, . . . } and x < y if^ x = y or x = ±. (Note that < is not tlie usual ordering on 
N.) This domain is pictured in Figure 5. Suppose for simplicity that APL programs can return only 
nonncgative integers as values, so that the output of FOO lies in N. As already noted, the possible 
outputs of FOO when arguments are evaluated in parallel are best described by the set 

{0,1}. 

Which subsets of N should count as approximations to tliis set? There are at least tliree reasonable 
answers. To each answer there corresponds a way of interpreting sets, and to each interpretation there 
corresponds a preorder. The three preorders we will consider are written Co, CIi, and Ee-M- 

One approaches to interpret a set as including a description of every possible output value. Not 
every element of tlie set has to describe an output value, but every output value has to be described by 
an clement of the set. In tliis approach N and { 0, 1, 2 } both approximate { 0, 1 }, but { 0, 1, 2 } is a 
more refined approximation tlian N: 

NQ){0,l,2}|Zo{0,l}. 
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{ 0, 1, 3 } is an example of an approximation to { 0, 1 } that is incomparable with { 0, 1, 2 }. For 
general domains this approximation ordering is given for A,BQD by 

A^oB ^ ^yGB3xeAx<y. 

As is true also of the next two approximation orderings, Co is in general only a preorder. In 
the case of Co, { _L } Co D Co { _L }. Co is the Smyth ordering, and yields a so-called weak 
power domain.^5 It has been used to give a semantics for a model of concurrency based on message 
passing.^^ 

Another approach is to interpret a set as giving descriptions of some possible output values. Not 
every possible output value has to be described by an element of the set, but every element of the set 
has to describe an output value. In this approach { J_ } and { } both approximate { 0, 1 }, but { } 
is a more refined approximation that { J_ }: 

{j_}Ci{0}Ci{0,l}. 

{ 1 } is an example of an approximation to { 0, 1 } tliat is incomparable with { }. For general 
domains this approximation ordering is given for/1, J5 C D by 

/I Ci B <=> \fxeA3yeBx<y. 

In diis ordering approximations build up to a limit, while in the Smyth ordering approximations nar- 
row down to a limit. In other words, Ci corresponds to a generative approach while Co corresponds 
to a restrictive approach, ^i also gives rise to a weak power domain, and has been used in tlie theory 
of Petri nets.^^ The actor semantics presented in the next chapter will use Ci. 

Historically, die first approach was to interpret a set in both of the preceding ways. For flat 
domains such as N the Egli-Milner ordering Cj;.jyj was defined by 

^Ee-M^ ^ {±(AAA=B) 

V(_LG/lA(/l-{_L})C5). 
'^M B Smyth, "Pov/er domains". 

^^Gcorgc Milne and Robin Milner, "Concurrent processes and their syntax", JACM 26, 2, April 1979, pages 302-321. 

'^Mogcns Nielsen, Gordon Plotkin. and Glynn Winskcl, "Petri nets, event stmctures and domains" in Semantics of 
Concwrent Commputation, Springcr-Verlag Lecture Notes in Computer Science 70, 1979, pages 266-284. 
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Gordon Plotkin generalized to arbitrary domains by the definition^^ 

In tliis approach { J_ } and { J_, } both approximate { 0, 1 }. but { _L, } is a more refined ap- 
proximation than { _L }: 

{±}c:e.m{^,o}Ce.m{o,i}. 

{ _L, 1 } is an example of an approximation to { 0, 1 } that is incomparable with { J_, }. The 
Egli-Milner ordering has been used to give a semantics for Communicating Sequential Processes, a 
language based on message passing.^^ 

Each of the diree preorders, Co, Ci, and Cp^.p^, gives rise to a power domain construction 
applicable to any w-complete partial order having a least element^^ But for the need to solve recur- 
sive domain equations involving power domains, at least the first two of these constructions could be 
extended to incomplete domains as well. In the actor semantics presented in Chapter IV there is no 
need to solve recursive domain equations involving the power domain. Furthermore the domain of 
augmented event diagrams, from which the actor power domain is to be built, is naturally incomplete. 
The remainder of this section therefore defines power domains for all domains, complete or incom- 
plete, and shows tliat for an incomplete domain D the power domain so defined is isomorphic to the 
conventionally defined power domain of its w-completionA 

Michael Smyth has given a succinct characterization of conventional power domains, which we 
will now review.2i He points out that the simplest way to build a power domain is first to decide 
what is to count as a finite piece of information about tlie result of a computation, and then to place 
an approximation ordering on the finite pieces of infonnation. The power domain then becomes the 
essentially unique completion of the partial order so defined. 
'^G D Plotkin, "A powerdomain constmction", SI AM J Computing 5. 3. September 1976. pages 452-487. 

^^Nissim France/, CAR Iloare, Daniel J l^hmann, and Willem P dc Roever, "Semantics of nondeterminism concurrency 
and communication", J Computer and System Sciences 19, J 979, pages 290-308. 

20m C B Ilcnnessy and G D Plotkin, "Full abstraction for a simple parallel programming language" FOCS-79 SDrineer- 
Verlag Lecture Notes in Computer Science 74, 1979. ^ ^ , . i b 

2^M B Smyth, "Power domains." 
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Let {D, <) be a domain. In the most commonly encountered domains, isolated elements 
represent finite chunks of information in D, and indeed the term "finite" is often used in place of 
"isolated". A finite piece of information should therefore be a nonempty finite set of isolated elements 
from D. Smydi preordered these sets using Co and Eg.j^, but we will use Ci, so that a nonempty 
finite set of isolated elements /4 C D is interpreted to mean 

where R is the actual set of values possible as the result of a nondeterministic program. Letting 
A=iB\^A\Z.iB andB Ci y4, tlie equivalence classes of such sets under =i are partially ordered 
by the quotient ordering £i / =i. 

The equivalence classes can be avoided by dealing with distinguished representatives of them. 
Accordingly define \hQ finite frontiers of D as 

F[D) — {/lCD|/4isa nonempty finite set of isolated elements, and 
^x,y S A X <,y => x = y}. 

A G F{D) is called a frontier because each of its elements is both minimal and maximal in A. 
{F{D), Ci) is isomorphic to the set of equivalence classes under =i of nonempty finite sets of 
isolated elements of D, ordered by Ci / =i. {F{D), [Zi) is a domain with least element { _L } in 
which every element is isolated. It therefore has an w-completion (F(D), C), which is the power 
domain, up to isomorphism. 

Observe that only the isolated elements of D matter to tlie constmction. It is therefore irrelevant 
whether D is w -complete. 



The following lemma characterizes the conventional power domain {F{D), C>. 

Lemma L S G F{D) if and only if both the following hold: 
LS = {FeFiD)\F c:\js}. 
2- Ifs E\jS,x is isolated, andx < s, then x E\JS. 

Proof Since every clement ofF(D) is isolated, S G F(D) \ff S is downward-closed and directed 
as a subset of F(D). 
Let 5 GFp). 
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Let s E U S, and let x be isolated with x < s. There exists F E S witli s E F, and so by 
definition { a: } Ci F. Therefore {x} £ S since S is downward-closed, whence x G\JS. 

UF e S, thenF G F(D) andF C US'. SupposeF == {fo, . . .,fn} G F[D) withF C \JS. 
Since 5 is downward-closed, { ^- } G 5 for i = 0, . . . , n. Since 5 is directed, F = |Jj{ { )^- } | i = 
0,...,n}G5. 

Conversely, suppose S satisfies conditions 1 and 2 of the lemma. LetFi,F2 G «S'. Fi Ui F2 C 
^1 U^2 C U-S", so Fi Ui F2 G 5 and 5 is directed. Let Fi G 5, and let F Ci Fi. For every 
a: G F there exists s G Fi with a: < s. By condition 2 F C U S. By condition IF ES. Thus S is 



downward-closed. Being downward-closed and directed, S G F(D). | 

A corollary of this lemma is that the least upper bound of an increasing sequence { Si }^.^^ in 

FpJisgivenbyU.^^-^^—Ueu^^^i- 

The concrete power domain that we will use is defined below. As will be shown, it is isomorphic 



to(F(D),p. 

The closure operation '^ was defined in §3. 

Definition. Let{D, <) be a domain. //^ power domain is{P[D], CZ), where 

PID] = {A'\ ±eAQD} 



and,forA,BeP[D], 



A\ZB <=> AdB. 



In other words, P[D] is the collection of downward-closed subsets ofD that are also closed under 
existing least upper bounds of directed sets inD. Note that while the ordering on P[D] is given by the 
subset relation, least upper bounds do not in general coincide with unions. 

For tlie actor event diagram domain D, an element of P[D] represents a list of possible initial 
histories of a computation. Since for elements x and y o^Y),x <y means that x is an initial segment 
of tlic initial history y, the requirement that elements of F[D] be downward-closed has a clear basis in 
intuition. 
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The next theorem gives several nice properties of the power domain. In particular, it is an lo- 
complete domain, so a;-continuous ftmctions have fixed points. 

Definition. A countably based continuous complete lattice is an w-complete domain such that for 
any subset X of the domain both a least upper bound |J X and a greatest lower bound nX exists. 

Theorem 2. If{D, <) is a domain, then (-Pp], E) is a countably based continuous complete 
lattice. 

Proof IfX C P[D], then U ^ = (U ^T and nX = fl ^• 

The isolated elements of P[D] are the closures of finite sets of isolated elements, that is sets of 
the form {xo,...,Xny where xo,...,Xn are isolated in D. To prove it, let 2:0, • • • , ^n be isolated 
and let X C P[D] be directed with {xo,...,Xny C \_\X. Since Xi G {\J Xf and Xi is isolated, 
^i E \JX. Let Ai G X have Xi as an element. Let A G X be an upper bound for Aq,..., An. 

{xo,...,Xny^A. 

Conversely, leti4 G P[D] be isolated and let { a:^ | i G a; } be the isolated elements of A. Let 

Xn = {a^i I z < n}. 

Then {X"^}^^^ is an increasing sequence in P[D] and A = Une^^n' so for some n, A = X^. 
I 

The following theorem says that at a certain level of abstraction P[D] is the same as the conven- 
tional power domain of D. While P[D] will be used in the next chapter to give a semantics for actor- 
based programming languages with unbounded nondeterminism, however, the conventional power 
domain is usually considered incapable of expressing unbounded nondeterminism. This points out 
die importance of tlie concrete interpretation placed upon elements of tlie power domain. 



Theorem 3. If{D, <) is a domain, then {P[D], C> is isomorphic to {F{D), C). 
Proof Consider the map from F{D) to P[D] given by F i-^ F". This map is monotonic and is 
trivially continuous since F(D) has only isolated elements. By Theorem 8 of §3 there exists a unique 



continuous extension of this map with domain F(D). I'his unique extension is rj: F{D) — ^ P[D] with 
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T] (5) = (U Sy for all S G F{D). It remains to be shown that rj is one-to-one and onto and has a 

continuous inverse. 

(U sy is the same as (U S) except for non-isolated elements, so ry is one-to-one by Lemma 1. If 

AeP[D],then 

A = {x E A\x\s isolated Y 

= r}{{FeF{D)\FQA}) 
soryisontoFp]. 



The inverse of r/ is 6: P[D] -> F{D) where ^ (/I) = {F G F{D) \ F C, A}. 9 is clearly 
monotonic. To show 9 continuous, let {^i}^^;^ be an increasing sequence in P[D] and letF G 
^(UiGw^O- That is, F C UiGw^i = (Uiec^^i)''- Each a: G F is isolated and so a; G Ai for 
some i. F is a finite set, and {Ai }^^^ is an increasing sequence, so F C Ai for some i. Therefore 

FeUieJi^i)- I 

III. 5. Pov/er Domains from Incomplete Domains 

Usually die partial order from which die power domain is constructed is required to be o;- 
complete. There are two reasons for this. The first reason is diat most power domains are simply 
generalizations of domains that have been used as semantic domains for conventional sequential 
programs, and such domains are all complete because of the need to compute fixed points in the 
sequential case. The second reason is that w-completencss permits the solution of recursive domain 
equations involving the power domain such as 

/? ~ 5 -> F[5 -f (5 X R)] 

which defines a domain of resumptions.'^^ As shown in the previous section, however, power domains 
can be defined for any domain whatsoever. Furdicnnorc the power domain of a domain is essentially 
the power domain of its cu-completion, so recursive equations involving the power domain of an 
incomplete domain can still be solved, provided the domains to which the usual constructors (-{-, X , 
— >, and *) are applied arc cu-complete. It happens that defining actor semantics as in the next chapter 
docs not require solving any recursive equations involving die power domain. 



22, 



*lotkin, "A powcrdomain construction". 
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In short, there is no technical impediment to building power domains from incomplete domains. 
But why should one want to do so? 

In behavioral semantics, developed by Irene Greif, the meaning of a program is a specification of 
die computadons that may be performed by the program. The computations are represented formally 
by the actor event diagrams considered in Chapter II. Greif specified the event diagrams by means of 
causal axioms governing the behaviors of individual actors.^^ 

Henry Baker has presented a nondeterministic interpreter generadng instantaneous schedules 
which then map onto event diagrams. He suggested that a corresponding deterministic interpreter 
operating on sets of instantaneous schedules could be defined using power domain semantics.^'* 

The semantics presented in the next chapter is a version of behavioral semantics. A program 
will denote a set of actor event diagrams. That set will be defined extensionally using power domain 
semandcs rather than intensionally using causal axioms. The behaviors of individual actors will be 
defined fimctionally. It will be shown, however, that the resulting set of actor event diagrams consists 
of exacdy those diagrams diat satisfy causal axioms expressing tiie functional behaviors of actors. 
Thus Greif s behavioral semantics is compatible with a dcnotational power domain semantics. 

Baker's instantaneous schedules introduced the notion of pending events, which represent mes- 
sages on die way to their targets or in the process of being sent. Each pending event must become 
an actual (realized) event sooner or later, a requirement referred to as finite delay. Augmenting 
actor event diagrams with sets of pending events helps to express die finite delay property, which is 
characteristic of true concurrency.^^ 

The augmented actor event diagrams form a partially ordered set (D, <) from which to con- 
struct the power domain P[D]. The augmented diagrams are partial computation histories repre- 
senting "snapshots" of a computation on its way to being completed. For x,y ET>, x <. y means x 
is a stage die computation could go dirough on its way to y. The completed elements of D represent 

computations that have terminated and nonterminating computations that have become infinite. The 

^^Irene Greif, "Semantics of communicating parallel processes", MIT Project MAC Technical Report 154, September 
1975. 

^■^Ilenry Baker, "Actor systems for real-time computation", MIT LCS Technical Report 197, March 1978. 

^•■^Jerald S Schwarz, "Dcnotational semantics of parallelism", in Semantics of Concurrent Computation, Springer-Verlag 
Ixcture Notes in Computer Science 70, 1979. 
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completed elements may be characterized abstractly as the maximal elements of D.^^ Concretely, the 
completed elements are those having no pending events. Intuitively, D is not w-complete because 
there exist increasing sequences of finite partial computations 

^ :^ 2:1 < X2 < 2:3 < • • • 

in which some pending event remains pending forever while the number of realized events grows 
without bound, contrary to the requirement of finite delay. Such a sequence cannot have a limit, 
because any limit would represent a completed nonterminating computation in which an event is still 
pending. 

Many readers will be concerned about tlic possibility of a nonterminating computation proceed- 
ing merrily along from one finite stage to the next but blowing up at infinity without a trace, that is, 
without an element in D to represent the entire nonterminating computation. That cannot happen. 
In Chapter IV it will be shown for every program that the set of partial computations that can occur 
is exactly the set of initial histories of the completed computations that can occur. Every element 
of D lies below a completed element, and the completed elements represent all possible completed 
computations, both terminating and nonterminating. If an increasing sequence does not have a limit, 
then it does not represent a possible computation, because the sequence reveals a message that is sent 
but that never arrives at its target, w-incompleteness thus follows from the assumption of finite delay. 

The fact tliat there exist increasing sequences without least upper bounds will seem strange to 
those accustomed to thinking about the semantics of sequential programs. It may help to point out 
that the increasing sequences produced by sequential programs all have least upper bounds. Indeed, 
the partial computations that can be produced by sequential computations form an w-complete sub- 
domain of D. An informal proof follows. 

From the actor point of view, sequential computations are a special case of concurrent computa- 
tions, distinguishable by their event diagrams. The event diagram of a sequential computation has an 
initial event, and no event activates more than one event. In other words, the activation ordering of a 

sequential computation is linear; die event diagram is essentially a conventional execution sequence. 

^^'See §0 of William W Wadge, "An extcnsional treatment of dataflow deadlock", in Semantics of Concurrent Computation, 
Springer- Vcrlag Ix;clure Notes in Computer Science 70, 1979. 
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This means that the finite elements of D 

^ I^ 2:1 < 2:2 < 0:3 < • • • 

corresponding to tlie finite initial segments of a sequential execution sequence all have exactly one 
pending event, excepting the largest, completed element if the computation terminates. One property 
of the augmented event diagrams domain (D, <) is that if a: < y and x y^ y, then some pending 
event of 2: is realized in y. Since in this case each xi has at most one pending event, every pending 
event in the sequence becomes realized. Hence the sequence 

^ :^ 2:1 < 2:2 < 3:3 < • • • 

has a least upper bound in D, in accord with intuition. 

The above proof applies to all sequential programs, even tliose with choice points such as 
guarded commands. Thus actor semantics includes sequential programs as a special case, and agrees 
with conventional semantics on the meanings of such programs. 

For convenience, though, the behavioral semantics presented in the next chapter will assume that 
all actors are deterministic, which rules out choice points. We exclude choice nondeterminism, the 
better to study arrival nondeterminism. 

To repeat, die actor event diagram domain D is incomplete because of the requirement of finite 
delay, which allows any finite delay between an event and an event it activates but rules out infinite 
delay. Finite delay follows from leaving much timing infonnation unspecified, such as tlie cylinder 
that happens to be under a disk head at a particular instant, the detailed time-dependent behavior 
of a communications network, die relative speeds of concurrent processors, and die exact times at 
which inputs are presented to the computing system by the external world. All these timing details are 
suppressed in the interest of obtaining greater abstraction. 

The next three sections explain die reladon between finite delay and fair parallelism. 

III. 6. Implementations are not Meanings 



It is not necessary for the semantics to determine an implcmcntadon, but it 
should provide criteria for showing tliat an implementation is correct. 
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Thus spoke Dana Scott of the purposes of a programming language scmantics.^^ Usually, however, 
the formal semantics of a conventional sequential programming language may itself be interpreted to 
provide an (inefficient) implementation of the language. A fonnal semantics need not always provide 
such an implementation, though, and to believe that semantics must provide an implementation leads 
to confusion about the formal semantics of nondeterministic languages. Such confusion is painfully 
evident when the presence of unbounded nondeterminism in a programming language's semantics is 
said to imply that the programming language cannot be implemented. 

Although the meaning of a computer program may be described by an element of a power 
domain, so that the program's meaning is a set, execution of the program is not supposed to produce 
the set as its answer. Rather the set describes the possible outcomes of executing the program. 

Indeed, although the meaning of the program is represented as a set of possible outcomes, it 
is not necessary that every possible outcome be possible in every implementation of the program. 
This permits nondeterministic languages to be implemented efficiently on deterministic, sequential 
machines. 

In other words, implementations are not required to preserve all tlie nondeterminism present in 
the semantics. This corresponds to loose nondeterminism in the distinction drawn by David Parle i^^ 

light nondetenninism: each correct implementation must, according to some 
precise sense of "possible result", produce all and only those possible results 
which the semantics of the language prescribes. 



loose nondeterminism: there may or may not be a sense in which the im- 
plementation can produce more than one result; tlie only constraint is that 
every result produced is one of those prescribed by tlie semantics. 



Ml. 7. Choice Nondeterminism is Bounded 

Unbounded nondetciTninism, defined below, is an arcane technical notion of little interest in 

its own right. It is useful in pointing out the diffisrencc between choice nondeterminism and the 

^'^"What is Denotalional Semantics?", MIT Laboratory for Computer Science Distinguished Ucture Series 17 Aonl 
1980. ' ^ 

^*^"0n the semantics of fair parallelism", University of Warwick ITieory of Computation Report 31, October 1979. 
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nondeterminism that arises from concurrency, and in discussing the interesting and practical question 
of fairness. 

If, for some fixed input, a program always returns an answer but die number of possible answers 
is infinite, then the program is said to exhibit unbounded nondeterminism. Unbounded nondeter- 
minism as tiius defined is not a very precise concept since it depends critically upon the meaning of 
"possible". In my opinion it is best to take the possible answers as those permitted by the semantics of 
die programming language in which the program is written. This gives unbounded nondeterminism a 
meaning as precise as can be had given the semantics of the language under consideration. Under diis 
interpretation unbounded nondeterminism is a property of programs, not a property of implementa- 
tions. 

Nondeterminism tiiat is not unbounded is bounded. Thus tiie nondeterminism of a program that 
may not halt is bounded. 

Nondeterministic Turing machines have only bounded nondeterminism.^^ Sequential programs 
containing guarded commands as the only sources of nondeterminism have only bounded nondeter- 
minism.^" Briefly, choice nondeterminism is bounded. Plotkin gave a proof in his original paper on 
power domains:^^ 

Now die set of all initial segments of execution sequences of a given non- 
deterministic program P, starting from a given state, will form a tree. The 
branching points will correspond to the choice points in die program. Since 
diere are always only finitely many alternatives at each such choice point, die 
branching factor of the tree is always finite. That is, die tree is finitary. Now 
Konig's lemma says diat if every branch of a finitary tree is finite, dien so is 
die tree itself In die present case diis means that if every execution sequence 
of P temiinates, then diere are only finitely many execution sequences. So if 
an output set of P is infinite it must contain [a nonterminating computation]. 

This proof depends upon the premise diat if every node a: of a certain infinite branch can be reached 

by some computation c, then diere exists a computation c diat goes dirough every node x on die 

2^A nondetemiinisUc Turing machine is a mathematical abstraction, not a physical machine. A given nondeterministic 
luring machine is thus belter viewed as a program than as an implementation. 

^°Edsger Dijkstra, A Discipline of Programming, Prentice Hall, 1976. 

^G D Plotkin, "A powerdomain construction", SI AM J Computing 5, 3, September 1976. pages 452-487. 
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branch. In other words, the premise is of the form 

yx3cF{x,c)=^3c'ixF{x,c). 

Clearly this premise follows not from logic but rather from the interpretation given to choice points. 
This premise fails for arrival nondeterminism because of finite delay. Though each node on an infinite 
branch must lie on a branch with a limit, die infinite branch need not itself have a limit. Thus the 
existence of an infinite branch does not necessarily imply a nontenninating computation. 

The following program, written in Communicating Sequential Processes,"^^ is an example of a 
program with choice nondeterminism. Its nondeterminism is therefore bounded. 

[P : : n: integer; n := 0; 

guard: boolean; guard := true; 

*lguard — > n : = n + 1 

D guard — > guard := false] 
] 

The repedtive guarded command might never terminate, because the first guard might always be 
chosen in preference to Uie second. While in a sense this is unfair to the second guard, it is allowed by 
the interpretation of choice points, because random choice is a valid implementation of choice points. 
An implementation that chose guards at random might choose the first guard on each repetidon, and 
while the probability of diat happening would be zero it would sdll be possible. Since the implemen- 
tadon using random choice is allowed to choose the first guard forever, deterministic implementations 
arc also allowed to choose the first guard forever. According to loose nondeterminism, Uierefore, in 
some valid implementadons this program could not possibly halt. 

Arrival nondeterminism, however, can be bounded. Consider a dual processor system. As 

timesharing users know, from a user's viewpoint die effecdve speed of a processor varies with die 

computational tasks it is called upon to perform. Suppose one of die dual processors is used for 

timesharing as well as batch computaUon while die other is reserved for batch compuUUion. As die 
-^^C A R Iloare, "Communicating sequential processes", CACM 21, 8, August 1978, pages 666-677. 
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timesharing load increases, the relative eifective speeds of the two processors varies. The effective 
speed ratio is bounded only by the degraded response time that users are willing to tolerate, so for the 
purposes of mathematical discussion the effective speed ratio is unbounded. 

The unboundedness of the effective speed ratio gives rise to unboundedly nondeterministic 
programs. Suppose the timesharing processor counts to 100 and tiien sends a message to the other 
processor. Meanwhile tiie relatively free processor has been counting as fast as it can; how high can it 
count before it receives the message? As more users burden die timesharing processor, successive runs 
of the program yield higher and higher counts. No principled bound can be set. 

One possible -objection to tiiis scenario as an example of unbounded nondeterminism is that 
the behaviors of die timesharing users and the timesharing system must be included in any proper 
account of the concurrent counting program. If this objection is to be allowed, though, the semantics 
of concurrent programs becomes quite intractable. Semantics is usead only to die extent Uiat such 
details can be suppressed. 

An analogous scenario can be constructed for a single sequential machine tiirough die use of two 
agendas from which tasks are selected alternately and to which tasks are added uricvenly. Again an 
unbounded delay can be achieved. It is the property of finite but unbounded delay diat gives rise to 
unbounded nondeterminism. Finite delay is a common and natural property of abstract descriptions 
of concurrent systems. 

III. 8. Fairness Implies Unbounded Nondeterminism 

Fairness, roughly speaking, is a property of programs that take inputs from two or more concur- 
rent processes in such a way tiiat each attempt by a process to provide input is bound to succeed 
sooner or later. A fair (two-way) merge, for example, is a program that takes values produced by 
two processes and merges them into a single sequence, never ignoring forever a value Uiat one of die 
processes is trying to feed it. If one of die processes generates an infinite sequence of zeroes and die 
other an infinite sequence of ones, then die set of sequences that could be produced by a fair merge 
of diose processes is die set of sequences containing infinitely many zeroes, infinitely many ones, and 
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nothing else; formally 

(0*11*0)'^. 

An unfair merge would be a sequence with only finitely many zeroes or ones. 

The ability to write a fair merge is very important to programmers of operating systems and 
concurrent systems. By no means is it an ability provided by all concurrent programming languages. 
Unbounded nondeterminism serves as one test for fairness: if a fair merge can be written in die 
language, then the fair merge can be used to write a program with unbounded nondeterminism. To 
see die idea behind this bit of folk wisdom, consider a program written in Communicating Sequential 
Processes (CSP):^^ 

[X :: Z!stop() || 

Y :: guard: boolean; guard := true; 
*lguard -^ Z!go{); Z?guard^ \\ 

Z : : n: integer; n := 0; 

continue: boolean; continue := true; 
*[X?stop() — > continue := false 

D y?go() — > n : = n + 1 ; Y [continue'] 
] 



This program illustrates global nondeterminism, since the nondctemiinism arises from incomplete 
specification of the timing of signals between Uie three processes X, Y, and Z. The repetitive guarded 
command in the definition of Z has two alternatives: either the stop message is accepted from X, 
in which case continue is set to false, or a go message is accepted from Y, in which case n is 
incremented and Y is sent the value of continue. If Z ever accepts die stop message from X, then 
X terminates. Accepting the stop message causes continue to be set to false, so after Y sends its 
next go message Y will receive f al se as the value of its guard and will terminate. When both X and 
Y have terminated, Z terminates because it no longer has live processes providing input. 
''•^C A R Hoare, "Communicating sequential processes", CACM 21, 8, August 1978, pages 666-677. 
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As the author of CSP points out, therefore, if the repetitive guarded command in the definition 
of Z were required to be fair, this program would have unbounded nondeterminism: it would be 
guaranteed to halt but there would be no bound on the final value of n. In actual fact, the repetitive 
guarded commands of CSP are not required to be fair, and so the program may not halt.^'* This fact 
may be confirmed by a tedious calculation using the semantics of CSP,^^ or simply by noting that 
the semantics of CSP is based upon a conventional power domain and thus does not give rise to 
unbounded nondeterminism. 

The reason unbounded nondeterminism does not apear in conventional power domain semantics 
is tliat each element of the power domain is interpreted as a finitely generable subset of the underlying 
a;-complete domain. In the a;-complete domains tliat have been proposed, finitely generable subsets 
are either finite or contain an clement representing a nontcrminating or undefined computation, for 
essentially the same reason that choice nondeterminism is bounded.^^ In the actor event diagram 
domain and its completion, however, the augmented diagrams contain so much operational infor- 
mation that one can distinguish computations that violate finite delay from other nontcrminating 
computations. Intuitively, the actor event diagram domain is incomplete because the computations 
that violate finite delay have been thrown out. 

To return to the proof that choice nondeterminism is bounded and to see why tliat proof does 
not work for arrival nondeterminism, it is first of all not clear that the tree of initial segments of 
execution sequences of a concurrent program is always finitary, since tlie alternatives may for example 
correspond to the wait times allowed by finite delay.'^^ Secondly, an infinite branch does not neces- 
sarily indicate a nontcrminating computation, since the path may violate the requirement of finite 
delay and thus not have a limit. Recall die fair merge of an infinite sequence of zeroes and an infinite 
sequence of ones. Every finite sequence of zeroes is a possible initial segment of a fair merge but the 

^^Nissim Francez, CAR Hoare, Daniel J Lchmann, and Willem P de Rocver, "Semantics of nondeterminism, concurrency, 
and communication", / Computer and System Sciences 19, 1979, pages 290-308. 



^^G D Plolkin, "A powerdomain constniction", SI AM J Computing 5, 3, September 1976, pages 452-487. 

■^^Nancy A Lynch and Michael .T Fischer, "On describing the behavior and implementation of distributed systems", in 
Semantics of Concurrent Computation, Springer- Verlag Ixcture Notes in Computer Science 70, 1979. Sec also R J Back, 
"Semantics of unbounded nondeterminism", Mathematisch Centrum Report IW 135/80, April 1980. 
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limit, an infinite sequence of zeroes, is impossible. 

Apparently the designer of CSP stopped short of requiring fairness because at the time languages 
with unbounded nondeterminism were widely regarded as unimplementable."^^ Additionally un- 
bounded nondeterminism would have precluded giving a conventional power domain semantics for 
CSP. 

Another important proposal, based like CSP on message passing but more abstract than a 
programming language, is Concurrent Processes.^^ The semantics of Concurrent Processes also uses 
conventional power domains, so tliere is no unbounded nondeterminism and a fair merge cannot be 
specified. 

It appears that a fair merge cannot be written as a nondeterministic data flow program operating 
on streams.'*^ The reason is that for any monotonic function 

merge: S X S -^ P[S] 

from pairs of input streams to sets of possible output streams it must be that 

merge {±, 1^) C merge {0, l*^) 

where _L is the empty stream. Since the only fair merge of _L and 1'^ is 1'^, 1'^ should be an element 
of merge (_L, 1'^), but that would mean 1'^ must be an element of merge (0, 1^) also. 

The coroutine proposal of Kahn and McQueen avoids nondeterminism altogether and thus can- 
not provide a fair merge. The "fair merge" that they present must assume for its correctness that both 
of its input streams are infinite.'*^ 
'^^"Communicating sequential processes"; 
^^George Milne and Robin Milner, "Concurrent processes and tlieir syntax", JACM 26, 2. April 1979, pages 302-321. 

'^^Despite a claim to Uie contrary in Paul Roman Kosinski, "Denotational semantics of determinate and non-determinate 
data flow programs", MIT LCS Technical Report 220, May 1979. Tlic proof of Theorem 5.2 in that paper mistakenly 
assumes trichotomy for partial orders. In fact die domain of lagged-strcam-sets is incomplete, and the fixed points being 
manipulated in the remainder of that paper do not exist. 

'"Gilles Kahn and David McQueen, "Coroutines and networks of parallel processes", irTP-77, Montreal, August 1977, 
pages 993-998. 



85 



It is possible to write a CSP program that acts as a fair two-way merge so long as neither process 
transmits infinitely many messages to it. Since CSP's semantics identifies all nonterminating computa- 
tions, it is impossible to tell directly from the semantics whether the program is unfair in the infinite 
case. Since no CSP program has unbounded nondeterminism, however, one can conclude that writing 
a fair merge in CSP is impossible. In this way unbounded nondeterminism provides an indirect 
answer to the question of fairness even though the question cannot be formulated directly. 

Notice in the context of loose nondeterminism that even though writing a fair merge in a given 
language may be impossible it may still be possible to write merge programs in the language that will 
in practice be implemented fairly. Indeed, the author of CSP has set forth the informal requirement 
that "an efficient implementation should try to be reasonably fair".^^ In practice implementations can 
be extremely fair, l^he fact that examination of a programming language's semantics shows tiiat a fair 
merge cannot be written in the language reveals a deficiency not of the language but of the current 
dieory of programming language semantics. 

To sum up, the problem with choice points as a model of nondeterministic concurrency is that 
diey cannot be used to write a fair merge. In terms of what programs can express about their 
implementadons, merge programs using choice points can allow fair merge but they cannot require it. 

How important is fairness? Every finite initial sequence of values produced by an unfair merge 
can also be produced by a fair merge. Fair and unfair merges differ only at infinity. It can be argued 
that fairness is dierefore unimportant, since as finite beings our horizon of interest seldom extends 
beyond a few score billion years. This argument should appeal to those who for die same reason find 
silly the question of whether a program terminates or not. 
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"Communicating sequential processes". 
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Chapter IV 



Actor Semantics 



This chapter sets forth a power domain semantics for actor-based languages. The semantics 
given here is a power domain formulation of the behavioral semantics invented by Irene Greif.^ The 
semantics has an operational flavor because it gives as die meaning of a program a set of generalized 
execution sequences, which are essentially the actor event diagrams of Chapter II. 

IV. 1. Primitive Serlalizers 

A primitive serializer is a special kind of actor. Conceptually a primitive serializer consists of 
an arbiter, a queue, and a processor. A primitive serializer is the target of an event when a message 
arrives at the scrializer's arbiter and is placed in die scrializer's queue to await processing. When 
two messages arrive at about the same time, die arbiter decides which one goes first in the queue. 
The arbiter must be reliable and place every incoming message in die queue. In other words, the 
arbiter performs a fair merge on incoming messages. The processor of die primidve serializer accepts 

messages serially from die queue and processes Uiem according to some deterministic and terminating 

Mrene Greif, "Semantics of communicating parallel processes", MIT Project MAC Technical Report 154, September 
1975. 
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(stack = elements initially [ ] 
inside 
accept [ continuation op x ] 
if equal [ op "push" ] 

then change elements to [ x elements ] ; 

send "pushed" to continuation 
else 
if equal [ op "pop" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else change elements to second(elements) ; 
send "popped" to continuation) 
else 
if equal [ op "top" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else send f irst(elements) to continuation) 
else 
if equal [ op "empty?" ] 

then send equal [ elements [ ] ] to continuation 
else 
send "error -- undefined operation on stack" to continuation) 



Figure 1. An implementation of a single stack in the toy programming language Atolia, 

algoritlim. When the processor accepts a message from the queue, it locks and accepts no more 
messages from the queue until it finishes witli tliat message. 

Messages arc accepted and processed in the same order that they arrive at tlic primitive serializer, 
that is, in the same order as the arrival ordering of dieir corresponding events. Processing a message 
may involve (1) changing the local state of the primitive serializer's processor; (2) sending out a finite 
set of messages; (3) creating a finite set of new primitive serializcrs; this last possibility resembles 
process creation. When the processor finishes processing a message, it unlocks and accepts the next 
message in the queue. If tiierc are none, it waits until there are. 

Primitive serializers have been proposed as a basis for programming concurrent and distributed 
systems.^ Figure 1, for example, shows one way to implement a stack as a primitive serializer. There 
is one state variable, el ements, which is the empty sequence initially, stack takes messages of the 
form 

^Carl Hewitt, Giuseppe Attardi, and Ileno' Liebcrman, "Specifying and proving properties of guardians for distributed 
systems", in Semantics of Concurrent Computation, Springer- Verlag Lecture Notes in Computer Science 70, 1979. 



[^continuation op x'] 

where continuation is an actor that should receive the result or notification, op is one of the four 
stack operations (push, pop, top, and empty?), and a: is a value to be pushed. When the operation 
is pop, top, or empty?, x may be omitted. The messages sent and the changes made to the local 
state variable should be apparent from tlie code, stack never creates any actors. 

Programming languages based on primitive serializers, such as Actl^ and Atolia,'* will be called 
actor-based languages. Programs in such languages are often written in the object oriented, continua- 
tion passing style illustrated by stack. 

IV. 2. Actor Behaviors 

For simplicity, diis chapter will ignore actor creation. Chapter V will outhne the small changes to 
the semantics given here that are necessary when actors can be created in the course of computation. 

Let A be the set of actors, and M the set of messages. 

An actor is completely described by its name and by its behavior, which specifies what the actor 
does whenever it receives a message. An actor's name is a necessary part of its description because two 
different actors may have the same behavior. An actor's behavior is a necessary part of its description 
because the same actor may have different behaviors at different times. 

When a primitive serial izer receives a message, it may change state, may send out a finite number 
of messages to odier actors, and may create other actors. Ignoring the possibility of creating other 
actors, this suggests that the behavior of a primitive serializer a should be a function 

6": E" -^ [M -^ (E° X (A X M)*)], 

where S° is the set of local states of a, and an element of (A X M)* represents a finite set of messages 
sent out to specific targets. Since the only purpose of local states is to index the next behavior, though, 
^ibid. 
''See §V.5. 
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it is better to define the behavior domain F via the reflexive domain equation^ 

F ~ [M -* (F X (A X M)*)]. 

F may be thought of as fJie set of trees of height uo, with an unlabelled root node, non-root nodes 
labelled by finite sequences in A X M, and such that each node has exacdy one outgoing arc labelled 
by m for each message m E M. 

Behaviors are normally specified using a programming language. Using informal mathematical 
notation, the initial behavior of stack might be written 

6[]: [c push a:]h-> (6[^[j],((c,pushed»> 

[c pop] h-> (6[|,((c, error -- stack empty})) 
[c top] i-» (6[],((c, error -- stack empty))) 
[c empty?] h-> (6[], ((c,irne))) 

where b[x y] is the behavior defined by 

b[x y]-. [c push 2] t-^ (6[3 [^ ,^]], {(c, pushed))) 
[c pop] H-4 {&y,{{c, popped))) 
[c top] ^{b[xy],{{c,^))) 
[c empty?] k4 (6[^ y,, ({c, false))) 

(The madiemadcal notation here is less precise dian the programming language since it does not indi- 
cate die values of the behaviors on messages diat do not match die patterns.) As a simpler example, 
die Atolia script 

accept [ ] dummy 

signifies the constanUy passive behavior 

p: m 1-^ (p, ( )). 

It is die purpose of a programming language semanUcs to define a mapping from syntactic ob- 
jects such as the code for stack to madiemadcal objects such as the behavior 6[ ]. The goal of this 

' 'ITiat this equation has a solution is assured by the standard theory of programming language semantics. See Dana 
Scott, "Data types as lattices", SI AM J Computing 5, 3, September 1976, pages 522-587, or the books by Sloy or Milne 
and Slrachey. 
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chapter is to define a mapping from computer programs written in an actor-based language to sets of 
actor event diagrams representing possible outcomes. The mapping is defined in two stages. In the 
first stage, the standard denotational theory of sequental programming language semantics is used to 
define for each program Q in the language a function 

g^(Q):A-fF 

giving die inidal behavior of each actor. In die second stage diat ftmction is used to define die set of 
possible outcomes of the program Q. 

The second stage is largely independent of die programming language. For die purposes of die 
second stage an actor-based programming language is simply a pair 

where I is a description language (set of programs) and "3^ is a map 

g^: JL -^ (A -^ F). 

Appendix IV presents I and 5^ for a toy language illustrating actors.^ I and ^ have previously been 
specified for a version of the Actl language.'^ 

IV. 3. The Actor Event Diagram Domain 

An element of die actor event diagram domain is an actor event diagram as in Chapter II aug- 
mented by a (possibly empty) set of pending events. See Figure 2. As before, each vertical line 
represents an arrival ordering, with Umc flowing downward so diat early events lie above later events. 
As before, die arrows represent links of the acdvation ordering. As before, die target and message of 
an event are written beside the event's dot. 

^In Appendix IV I is the set of actor script declarations Act. Ihe behavior domain F given in Appendix IV is 
complicated by actor creation. For programs that do not create actors, Uie dilTcrenccs between the behavior domain of 
Appendix IV and the behavior domain of this section may be ignored. 

^Carl Hewitt and Giuseppe Attardi, unpublishable. 
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pending: 

sieve ^ \_filter2 reply 3] activated by: (/z7ier2, 2> 
integers <- If ilter2 request] activated by: {/i7<er2, 2> 

print-primes +— [ ] 



sieve <— {^print- primes request 



sieve *— {^integers reply 2] 



print-primes +— ^sieve reply 2] 



sieve +— \_print-primes request] 



integers +— [szeue request] 



integers i— lfilter2 request] 



filter2 ^— ^integers reply 3] 

filter2 *— [sieve request] 
filter2 ^ [integers reply 3] i' 



Figure 2. An actor event diagram with pending events. 

Each pending event represents a message on its way to a target. The activator of a pending 
event is the event that caused the message to be sent. When the pending event becomes realized (in 
a greater element of D) its activator will be the activator of the realized event. In order to refer to 
arbitrary events, let (a, n) be the (n + l)th event in tlie arrival ordering of a if such exists. In other 
words, if a is an actor then the successive events in die arrival ordering of a are 

(a,0>,(a,l),{a,2),(a,3>,(a,4),.... 

The elements of die actor event diagram domain 1) will be required to have inidal events and to 
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obey a law of finite activation. Finite activation corresponds to tlie restriction on primitive serializers 
tliat they send out only finitely many messages before they unlock. Simplicity is the only reason for 
requiring initial events.^ 

The formal definition of the actor event diagram domain will use the concept of multisets. A 
multiset is a set with repetitions. For example, { 1 } and { 1, 1 } are distinct multisets. A set with 
elements from a universe U may be considered a fimction: C/ -> 2. In like manner a multiset with 
(finite repetitions oO elements from U may be considered a function: U — ^ o;.^ The cardinality of a 
multiset s is defined as 

if tlie sum exists and is finite, and as u otherwise since tlie universe U will always be countable in 
actor semantics. If si and 52 are multisets, then their muUiset (disjoint) union si y 52 is defined by 

Vu G C/ (51 y S2) (u) = si{u) + S2(u). 

Similarly their multiset ditFcrence sj — S2 is defined by 

ifsi(ti) < S2M; 






Vu G t/ (51 - _, _ 

\si{u) — 52(u) if si(u) > S2(n). 

Ifsi: t/i — > a; ands2: U2 —* uj are multisets, their multiset product si X »2' {U1XU2] -* u) is defined 
by 

V(ul, U2> eUiXU2 (si X 52) ((ui, U2)) = 5i(ui) X 52(1x2). 

Let the set of actors. A, and die set of messages, M, be countable sets. 
Definition. The set o/augmcnted actor event diagrams is the set D of structures 

{E,M,-act-^,P) 

'^ Aside from complicating the discussion of completed elements of the domain, dropping the requirement of an initial 
event would cause no problems. Finite activation, however, is needed to ensure tJiat the domain has only counlably 
many isolated elements, Hxtending the essential theorems of Chapter 111 to domains with uncountably many isolated 
elements apparently requires the axiom of choice. 

•^'ITiis suffices for the semantics given here. Other applications may require a more sophisticated treatment of multisets. 
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where 

• E is the set of (realized) events. 

• M is the message function. 

• —ad-* is the activation ordering. 

• P is the multiset o/pending events. 
and the following hold. 

• Eisa subset ofX X u; such that ifi < n and {a, n) G E then (a, i) G E. 

• M is a function: E -+ M. 

• —act-^ is an irreflexive partial order on E such that no event has more than one immediate 
predecessor. 

• P isa multiset (with finite repetitions) of elements from (A X M) X E. That is, P is a function: 
((A X M) X E) -> w. 

• Finite Delay. IfE is infinite, then P is empty. 

Let the target fund ion T: E -^ A be defined by T{{a, n» = a. 
For a E A, let ///£' arrival ordering of a, —arva-^, be defined on E by 

{a, i) —arra-^ (a', j) <=> a = a' and i < j. 

Let the combined ordering on E, -*, be defined as the transitive closure of 

-act-* (J((J{-arra-*| a G A}). 

• Law of Strict Causality. For no e G E doese -^ e. 

• Law of Countability. £7 is countable.^^ 

• Law of Finite Predecession. For all events gy the set {e | e -+ ei } is finite. 

• Initial Event. Either E andP are both empty or there exists an event cq such that 
Ve G £■ Co = e oreo — act—* e. 

• Finite Activation. For each eEE the set of events activated bye is finite. That is, 
{d EE\e —ad-* e' and -^3e" e —act-* e" —ad-* ef } is finite. 

^"'ITiis law is redundant here since A is countable and E is a subset of A X w. 
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pending: 

add ^3 4 activated by: (/, 0) 

/ <— 3 activated by: {add, 0) 



pending: 

/ ^— 3 activated by: {add, 0) 

/ +- 7 activated by: {add, 1) 



< 



/ f- 1 2 3 4 k 



/ ^ 1 2 3 4 ^. 



add ^ 1 2 




add t— 1 2 



add <— 3 4 



Figure 3. An example of the initial history ordering. 



pending: 

add ^ 3 4 activated by: (/, 0) 

/ 4- 3 activated by: {add, 0) 



pending: 



7 activated by: (odd, 1) 



7^1234 \ 



^ /-1234 f, 




add +—12 




add f- 1 2 



► add <— 3 4 



Figure 4. A non-example of the initial history ordering. 

• Finite Activation. For each eEE, the multiset of pending events activated by e is finite. That is, 
{ {{a, m),e)eP\ae^,meM} is a finite multiset}^ 
(End of definition.) 

The partial order to be placed on D coincides with the notion of an initial history of a computa- 
tion. For a:, y E D, a: < y means tliat a: is a possible stage a computation could go tlirough on its way 
to y. That is, x <]j means y could be obtained from x by a process of expanding pending events. A 

^'in view of the requirement of Finite Delay, a simpler way to state this is to say that P is a finite multiset. In the 
completion, however, where Finite l>lay does not hold, /' can be infinite. 
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pending: 

add ^3 A activated by: {/, 0> 

/ <- 3 activated by: {add, 0> 



pending: 

user ^ 3 activated by: {add, 0) 
/ t- 3 activated by: {add, 0> 
/ ^ 7 activated by: {add, 1) 



/ 4- 1 2 3 4 ^, 



7^1234 ^, 



^^ acid ^12 




add +—12 



» add +—3 4 



Figure 5. Another non-example of the initial history ordering. 

pending event is expanded by making it into an actual (realized) event and adding any pending events 
that it may activate. Normally the new pending events would be determined by the current behavior 
of the target of tlie newly realized event. Since < is defined without reference to behaviors, Uiough, 
x<y means that for some assignment of behaviors to actors y can be obtained from x through some 
sequence of event expansions. 

The best way to understand the initial history ordering < on D is by way of examples and 
near misses. Figure 3 is an example of <. Figure 4 is not an example because one of Uic pending 
events disappears without being realized. Figure 5 is not an example because a pending event whose 
activator had already been realized appears out of nowhere. 



Definition. Let x = {E„ M,, -act-^„ P,) E D and y = {Ey, My, -aci-^y, Py) G D. a: is an 
initial history of y, written x<y, if and only if 

•E^QEy. 

• ^eGE^ A4(e) = My{e). 

• Ve^GE^ e—ad-^a^e' « e—act-^ye'. 

• Each pending event in x is accounted for exactly once in y, either as a pending event in Py or as 
a realized event in Ey. Furthermore all the pending events ofy activated by events already in x must he 
accounted for in this way. More formally, using {} to indicate multiset abstraction in which repetitions 
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(These diagrams use the notation (e) to indicate tlie activator ?, of a pending event. Also the 
arrival ordering of a is labelled at its top, so only messages are written beside event dots.) 



pending: 

user <— ((a, 0)) 

a ^ 1 ({a, 0» 

a 



< 



pending: 

user <— ((a, 0)) 

a ^ 2 {(a, 1» 



pending: 

u&tr ^ ((a, 0)) 

a^3({a,2» 



< 



a 



pending: 

user <— ((a, 0)) 

a^4((a,3)) 



i 



< 



< 



pending: 

user +— ({a, 0)) 

a ^ 5 ({a, 4)) 



a 

► 1 
o2 






< 



pending: 

user +— ((a, 0)) 

o +- 6 ((a, 5)) 



..0 



< 



Figure 6. An increasing sequence with no least upper bound. 

are counted, 

Px = {((a,m>,e)GPy|eG^.} 

(+1 { ((Ty(e'), M;(e')>, e> K G ^y - ^x, e = ach' vator (e'), a«^ e^E^} 

where activator [e') is the unique immediate predecessor ofd in the activation ordering ofy. 

Definition. (D, <) is the actor event diagram domain. 

The actor event diagram domain is a domain by the definition of Chapter III. The isolated ele- 
ments are those with a finite number of realized events. The least element has no events at all, realized 
or pending. The domain is not w-complete, because there exist increasing sequences having no least 
upper bound. Figure 6 gives such a sequence in which an event remains pending forever. Though this 
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user ^x"/ 



user 







t^' 



^►8 



Figure 7. Two upper bounds for the sequence of Figure 6. 

sequence has no least upper bound, it has many incomparable minimal upper bounds, and Figure 7 
shows two of tliem. 

The least upper bound of a directed set X C D will be written V ^ if it exists. In view of 
the following theorem, V X exists if and only if eitlier (1) the union of the sets of realized events of 
elements of X is finite; or (2) for every element x of X, for every pending event p of a:, there exists 
x' E X such that p is realized in xf. 

Theorem 1. If X G^D andu = y X, then for every event e of u there exists x G X with e an 
event of x. 

Proof Suppose u is an upper bound for X in D and that e is an event of u. If there does not 
exist X G X with e an event of a:, then it is possible to alter u so as to obtain another upper bound for 
X incomparable with u. Simply remove from u all activation successors of e and all pending events 
activated by e or its activation successors, and then rename the remaining realized events. Call the 
resulting augmented event diagram u'. Since no event following e in tlie combined ordering of u can 
be an event of any x G X, u' is also an upper bound for X. Either u and n' are incomparable, or 
u = u'. In the latter case, obtain u" from u = u' by inserting a new event in the arrival ordering of 
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T(e) immediately after e, letting e be its activator, u" is then an upper bound for X incomparable with 
u. I 

In the case of Figure 6 any least upper bound would have to have both infinitely many realized 
events and a pending event. The requirement of Finite Delay thus rules out a least upper bound for 
the sequence. 

The w-completion of the actor event diagram domain is easily characterized up to isomorphism. 
Just drop tlie requirement of Finite Delay from the definition of D to obtain its w-completion D. 

As noted in §111.5, the event diagrams corresponding to sequential computations have linear 
activation orderings. In other words, no event activates more than one event. Such event diagrams 
forni an u;-complete subdomain of D. 

Aside from the least element J_, which represents a computation not yet started, those elements 
of D having no pending events represent computations that have terminated or that have mn on to 
infinity, as distinguished from computations with pending events which represent computations still 
in progress. Excluding the least element J_, those elements of D with no pending events will tiierefore 
be called the completed elements of D. The completed elements may also be characterized as the 
maximal elements of D. 



IV. 4. Meanings as Fixed Points 

Since D is a domain, its power domain, P(D], exists. F[D] is the semantic domain in which 
programs written in actor-based languages will be given meanings. 

Let Q be a program, with 

'iP(Q):A->F 

the function giving the initial behavior of each actor as dctemiincd by the program Q. These be- 
haviors will be used to define a continuous function U on P[\)] whose least fixed point will serve as 
the meaning of the program Q. 
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For X an ordered pair, let a: i 1 be the first and a: i 2 be the second clement of the pair. Let 

next: (F X (A X M)*) -> F 

and 

pend: (F X (A X M)*) -. ((A x M) -^ w) 

be defined as follows, next [x) = xili^ the behavior part of the pair, pend [x) is die multiset with 
elements from A X M such Uiat pend (x) ({a, m» is die number of times diat (a, m) appears in die 
sequence a: i 2. If is the behavior of an actor when it accepts die message m of an event e, dien 
next {4> m) is the next behavior of die actor, and pend (0 m) X { . } is die muldset of pending events 
activated by e. 

/,: P[D] -^ P[D] will be defined pointwise from a funcdon /: D -^ P[D], which will in turn 
be defined from a Unction g: D -. P[D] . For a: G D, p (x) is essendally the set of augmented event 
diagrams diat residt from expanding exacdy one pending event of a: in accord widi the actor behaviors 
specified by die program Q. In fact g{x) is a little more, because g{x) has to sadsfy die closure 
requirements diat hold for elements of die power domain. 

The first step in defining g is to define g (_L), which amounts to deciding how program execution 
should be inidated, which in turn amounts to deciding on an inidal event. It is an arbitrary decision, 
but suppose that execution begins when a special message m^ arrives at a pardcular actor oq singled 
out by the language. (For die toy language described in die appendixes, mo is die empty sequence ( ) 
and die target of die inidal event is {program, 0).) 

Therefore let 

g(±) = {{E,M,-~act-^,P)Y 

where "" is die closure operadon defined in §111.3 and 

^ = {(«o,0>} 
Af ((oo, 0» = mo 
— ad— + = 

P = pend {^S> [Q) 00 mo) X { (oo, 0) }. 
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Now to define g on x ~ {E,M, —act-^,P) G D, where x y>^ _L. Let behavior (a) be the 
current behavior of actor a in x, that is, the behavior of actor a after it has accepted tlie messages of all 
tlie events in its arrival ordering. More formally, define the successive behaviors of a by 

b{a,0) = 9(Q)a 
b{a,n-\- i) = next {b (a, n) {M{{a, n)))) 

and let behavior [a] = b {a, n) where n is the least integer such that (a, n) ^ E. If there are infinitely 
many events in the arrival ordering of a, so that no such n exists, then the current behavior of a is 
undefined. 

If P is empty, there are no pending events to expand and so let 

g{x) = {xr 

where "" is the closure operation defined in §111.3. Otherwise for each p = {{a, m), e) E P, or more 
properly for each p E ((A X M) X E) such that P{p) 7^ 0, let x (a, m, e) be the element of D 
obtained by (1) adding a new event to x with target a, message m, and activator e; (2) subtracting the 
pending event p from the pending events of a:; and (3) adding the pending events activated by the 
new event. Then define 

g{x) = {x (a, m, e) | ((a, m), e) G P }". 

'lb define x (a, m, e) more precisely, let n be the least integer such tliat (a, n) ^ E. Such an n 
must exist because the existence of pending events implies that the set of events is finite. Then 

X (a, m, e) = (£", M', —ad^', P') 

where 

e=r.E{}{{a,n)} 

'M(e) if e 6 E 



{ 



M'(e) 

m if e = (a, n) 

ei —ad-^' 62 <=* (t'l, e2EE and ei — aci-+ 62) 

or (e2 = (a, n) and (ei = e or ei — ad— ^ e)) 

P' = {P~{ {{a, m), e) }) (+) (pend [behavior [a) m) X { {a, n) }) 
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This completes the definition of j: D -> P[D]. Define/: D -» P[D] by 

Some observations: 

• If ((a, m), e) is a pending event of x, then a; < a: (a, m, e). 

• If a: < y then a: G ^ [y). In particular a: 6 / (a:). 

• If a: is isolated, then g{x) contains only isolated elements. This follows from the property of 
D that if y G D is isolated, and x <y, then x is also isolated. 

• If a; is not isolated, tlien g [x) contains exactly one element that is not isolated, namely x. This 
follows from the fact that elements of D that are not isolated are maximal in D. 

Theorem 1./: D — + P[D] is uj- continuous. 
Proof. Let a: < y. Then 

z<Z.x 2<y 

SO / is monotonic. 

To show / w-condnuous, let { Xi }^-^^ be an increasing sequence in D having a least upper 
bound X = View ^i- ^-^^^ ^ ^- ^^^ ^^ isolated, then there exists Xi with z < Xi, whence 

9{z)^ \J 9{z) = fixi)n,\Jf{xi). 
On the other hand, ifz is not isolated then z = x and g {z) = { a: }". Xi E / [xi] for each i, so 

iGw I'Gu; 

Hence 

9W = {xrc LI /w- 
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and applying the closure operation to both sides yields 

Monotonicity implies the reverse direction, so / is u;-continuous. | 
Define/.: P[D]-^P[D] by 

/+(y4) thus consists of tlie augmented event diagrams in A together with all the event diagrams that can 
be had by taking an element of A and expanding one of its pending events. 
The following general theorem shows that /♦ is ^-continuous. 

Theorem 2. LetD be a domain, and let f: D —^ P[D] be uj-continuous. Then f^: PlD] — > P[D] 
defined by 

fM) = U /W 

xGA 

is Lo- continuous. 

Proof. Monotonicity is obvious. Hence it suffices to show 



for increasing sequences 



t'Gw i^ij3 



Let 



.4o C /ti C /42 C /43 C • • • . 



i'Gw 
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Let W Q\J{f{x) \x e (Di^^AiY } be a directed set with c = yw. For it; G Vy let Z^, C 
[Ji^ui^i be a directed set with 

Let Yu, C Ueez / W ^e a directed set of isolated elements with w = \/ Y^,. Let Y == Uu;gw ^«^- 
Then 

c = \Jw = \/{[j Y^) = \/Y 

iuGW 

and 

Y= [j Y^ 

wGW 

£ U U /(-) 
c U U /w 

^ U /*(^^)- 

Furthermore, K is directed: if yi E Yu)^ and ^2 G ^u>2. then let W2 be an upper bound for wi 
and W2 in VV. Since yi and yi are isolated, yi^g is directed, and 

yi, J/2 < ^^3 = V ^'loa; 

there exists y[, y'2 E Yur^ with yi < y'^ and y2 < 1/2- Let y.\ be an upper bound for y^^ and y2 in Y^^. 
ya is then an upper bound for yi and xfi in y. 
Therefore 

ce{U/«('^')r=U/'{'^')- 

I 

Being continuous, /*: P[D] — > F[D] has a least fixed point 



/1q = U /' (-J-)- 



iGcJ 
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Define the meaning of the program Q'to be tliat least fixed po'mi Aq. The theorems below show that 
Aq is the set of initial histories of the actor event diagrams that correspond to completed computa- 
tions of Q. 

They also show tliat this power domain semantics is compatible with Greif s behavioral seman- 
tics.^^ Behavioral semantics does not use pending events or fixed points. Instead it uses causal axioms 
to go directly from behaviors to the set of completed computations. Essentially these causal axioms 
state that a completed computation is an actor event diagram that is complete with respect to the 
initial behaviors. 

Definition. An augmented actor event diagram x = {E,M, — act—^,P) E D w consistent with 
respect to the initial behaviors given by 

^ [Q): A -> F 

ifffor each event e = {a,n) GE 

pend [b (a, n) (M(e))) = { (a', m') | ((a', m'), e> G P } 

(+){ {T(e'), M{e')) \e' EE ande = activator [e') } 

(where { • } indicates multiset abstraction in which repetitions are counted). In other words, the pending 
and realized events activated by e are as they should be according to the behavior of a = T{e) at the 
time of the event e. 

Definition. An augmented actor event diagram x = {E,M, — act—^,P) E D « complete with 
respect to the initial behaviors given by 

iff^ 7^ -L,P is empty, and for each event e = {a,n) GE 

pend [b {a, n) (M(e))) = { (T(e'), M(e')) \ e' G E and e = activator {^) } 

(where { • } indicates multiset abstraction in which repetitions are counted). In other words, x has at 
least one event, x has no pending events, andx is consistent with respect to the initial behaviors given by 

^^Irene Greif, "Semantics of communicating parallel processes", MIT Project MAC Technical Report 154, September 
1975. 
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The following theorems prove tliat the actor event diagrams that are complete with respect to the 
initial behaviors given by ^ (Q) are precisely the completed elements of the least fixed point. (Recall 
that the completed elements of D are just the maximal elements of D.) 

Theorem 3. Every element of the least fixed point Aq is consistent with respect to the initial 
behaviors given by'S'{Q). 

Proof. Refer to the definition of the initial history ordering < and the theorem following it in 
§3. l(x <. y, and y is consistent with respect to the initial behaviors, then x is also. If X C D is 
directed, each element of X is consistent with respect to the initial behaviors, and V^ exists, then 
y X m consistent with respect to the initial behaviors. Thus if every element of y C D is consistent 
with respect to tlie initial behaviors, tiien so is every element of Y^. It follows diat if for a E I each 
clement of Aa G P[T>] is consistent, tlien each element of Uae/^a is consistent. 

Hence most of die operations involved in the construction of Aq = [Ja^^^fKA-) preserve 
consistency. J_ is consistent with respect to any initial behaviors. There remains only to show that if 
a: E D is consistent, then the elements ofg{x) are consistent. 

Both elements ofg{±.) are consistent. If a: is consistent and has no pending events, then g {x) = 
{xY so the elements ofg{x) are consistent. If 2; is consistent and has {(a, m), e) as a pending event, 
then X (a, m, e] is consistent. Thus g {x) contains only consistent elements. 

Therefore every element of Aq is consistent with the initial behaviors given by •? {Q). | 

Theorem 4. 

Aq = {xE:^\xis consistent with respect to the initial behaviors given by ^ [Q) }. 

Proof. The preceding theorem takes care of tlie forward inclusion. 

Let X = {E, M, —act—^, P) E D be consistent with respect to tlie initial behaviors given 
by ^ {Q). By Theorem 1 of §11.5 there exists a one-to-one mapping g: E -^ u) tliat preserves the 
combined ordering — +. For i E oj, let Xi be the unique element of I) such that xi < x and Xi has 

{eE:E\g[e) = j for some i < i } 
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as its set of realized events. Then for each i E w 

and so 2: = Vfec ^i ^ liieu, ft (-L)- I 
Definition. If A G P[D], then 

completed [A] = {x EA \x is maximal m D }. 

Corollary 5. 

completed (/4q) = {xET)\xis complete with respect to the initial behaviors given by ^ [Q) }. 



§8 describes a power domain isomorphic to (P[D], C) in which the least fixed point of /♦ 
contains only the completed elements. 

The following theorem confirms a claim made in §111.5. 

Theorem 6. Every element of the least fixed point Aq is an initial history of a completed element of 

Proof Let x E Aq = Ui^ujft i-0- Either x is itself completed orxEf^ (_L) for some nEuj. 
In the first case tliere is nothing to prove. 

In the second case it is possible to construct an increasing sequence in Aq beginning with x that 
has a completed least upper bound. Let the pending events of 2: be po = ((oo, rno), eo), ■ . . ,Picq. Let 

Xo = X. 

Let xi = xo{a^, mo, eo) and let pi, . . . ,pfeo, • • • ,Pfci be the pending events of xi, where 
P\, . . . , Pko aic the same as before. 

The induction hypothesis for i is that for all j < i Xj < Xj^i, and for all j < i Xj E 
f^~^^ (_L) and either Xj is completed or the pending events ofxj are pj, ... , p^^. Ifxi is completed, 
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define Xi^i = Xi. Otherwise define Xi.^i = Xi [ai, mi, e^) wfiere pi = ((a/, rrii), ei). If a:i-|_i is not 
completed then let the pending events ofxij^i be Pi-i-i, . . • , Pfc^, . . . , Pki+^ where Pi-fi, . . . , Pfci are 
the same as before. 

The least upper bound of the sequence { xi }^^^ exists and is a completed element of /4q. | 

What has been accomplished? 

Augmented by pending events, the actor event diagrams fonii a domain under the initial history 
ordering. Although the actor event diagram domain is incomplete, its power domain exists and 
provides a fixed point semantics for actor-based languages. This power domain semantics, which is 
denotational, is com^patible with behavioral semantics. 

The actor power domain shows that a power domain whose underlying domain is incomplete can 
deal with finite delay and the unbounded nondetcrminism that results. 

IV. 5. Example: Infinite Loop 

This section calculates tlie fixed point for a program that loops forever. It is interesting to 
compare this example with tliat of the next section. 

As in the examples of the next two sections, tliere are only two actors to consider. One of the 
actors is the user, which simply accepts messages. The other actor is oq, the target of the initial event. 
Its behavior is defined by an Atolia program.^^^ In this instance, the program is 



(loop = accept [ ] 

send "addl" to loop ; 
become i initially 
inside 
accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 

send "addl" to loop 
else 
if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy). 

^^See §V.5. 
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UF./:(-i-) = (Ue./:(-L))u< 



00 



C ] 

addl 
addl 
addl 
addl 
addl 
addl 
addl 



y> addl 



Figure 9. The least fixed point Uiew/i(-L-) for loop. 



This program says that when oq receives the go message mo (which will be written [ ] in event 
diagrams) it initializes itself to a state and sends itself an increment instruction. When it accepts an 
increment instruction in state i, it enters state i + 1 and sends itself another increment instruction. 
Were it ever to accept a halt instruction, it would tell the user its current state. Its initial behavior is 
6: M -4 (F X (A X M)* given by 

mo^ {bo,{[ao +- addl])) 

{bi^i,{[aoi~ addl])) 
{passive, {[user +— i])) 

m I-+ {passive, { )) 

where [t +~ m] indicates the ordered pair {t, m) signifying tliat the message m is sent to the target t. 
Messages tliat do not match one of the cases given arc just ignored. 

It is easy to calculate the least upper bound of the function /*: P[D] — > P[\)] associated with 
this very simple program. The stages f\ (_L) are shown in Figure 8. The least fixed point is shown in 
Figure 9, and tlic lone completed element of the least fixed point is shown in Figure 10. 

The event diagrams in these figures are drawn compactly, with each actor's arrival ordering 



6: 

hi[iSu})\ addl 
halt 

passive: 
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f.{±) = {±} 



fl{±] = f.U)\j{ 



iOending: 

an f- addl ((ao, 0» 



'pending: 

_ao — addl ((oo, 1» 

/2(j_)=/:(x)u; <^ 

> addl 



pending: 

Oo ^ addl ((oo, 2» 



fl(±) = fU±){j{ "« 



4 



.> [ ] 
i> addl 
addl 



ft{±) = fl(±)[jl 



fl{±) = ftU)[J{ 



pending: 

Oo ^ addl ((oo, 3)) 

^ addl 
p> addl 
*» addl 

pending: 

Oo +-- addl ({oo, 4)) 

2* addl 

^» addl 

> addl 

^» addl 



and so on. 



Figure 8. /:(J_) for loop. 
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oo 



completed (U,e=,/:(-L) 



i 



[ ] 

addl 

addl 

addl 

addl 

addl 

addl 

addl 

addl 



Figure 10. completed (|J.^^ /i (_L)) for loop. 

labelled at its top by the name of the actor so only messages need be written beside events. The 
activator of a pending event appears in parentlieses after the pending event. Recall tliat (a, n) is the 
(n + l)th event in the arrival ordering of a. 

For all programs the stages fl (_L) contain finite initial histories only. It is the least upper bound 
operation |J that puts elements representing nonterminating computations into the least fixed point. 
The least upper bound of { f\ (l_) \ i E a; } consists of the union UiGu;/* (-L-) togedier with all 
existing least upper bounds in D of strictly increasing^'* sequences of elements from the union. In this 
example all strictly increasing sequences of elements from the union have the same least upper bound, 
so the least fixed point of/* contains only one event diagram tliat does not appear in any f\ (_L). 

In the next example the strictly increasing sequences of elements from Uiecj/U-L) have no 
least upper bound, so the least fixed point is the same as the union. 

IV. 6. Example: Terminating Unbounded Choice 

The following program has unbounded nondctcrminism. 
^''A strictly increasing sequence { Xi }jg^, has Xi < xi-^i and xi j^ Xi-fi for all i E. w. 
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(choose = accept [ ] 

send "addl" to choose ; 
send "halt" to choose ; 
become i initially 
inside 
accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 

send "addl" to choose 
else 
if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 

This program is almost the same as the 1 oop program given in the last section. When actor oq accepts 
the go message mo, it initializes itself to a state and sends itself both an increment instmction and a 
halt instruction. Since all messages must eventually arrive at their targets, oo will eventually accept diis 
halt instruction and terminate. Unlike the 1 oop program, then, the choose program must terminate. 
The initial behavior of ao is b given by 

b: mo\-^ {bo, {[ao <— addl], [ao ^ hal t])) 

bi [i G u)): addl i-^ (6j_^i, ([oo ^ addl]}) 
hal t i-f {passive, {[user <— i])) 

passive: m i-> {passive, { )). 

Again it is easy to calculate die least upper bound of tlie function /+: F[D] — > P[D]. The stages 
fi (_L) are shown in Figure 11. The least fixed point is 



U /: U-), 



xGw 



that is, the union of the stages in Figure 11, and the set of completed elements of the least fixed 
point is shown in Figure 12. There are no elements representing nonterminating computations in 
the least fixed point because the strictly increasing sequences of elements from Ui^^fUl.), such 
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pending: 

ao ^ addl ((ao,0» 



/j(_L)=/:u)u< 



pending: pending: 

00 +- addl ((oo, 1» oo <- addl ((ao,0)) 

oo f- halt ((oo, 0)) user +- ((oq, 1» 



oo 



00 



■»^ addl V^ halt 



fl{±) = fU±.)\J 

pending: pending: 

ao <- addl ((ao, 2)) oo +- addl ((oo, 1)) 

Oo <— hal t {(ao, 0)) user f- 1 ((oq, 2)) 



pending: 

user +— ((oo, 1)) 



pending: 

ao^ addl ({oo, 0» 



ao 



?: 



[ ] 

addl 
addl 



[ ] 
addl 

r halt 



Oo 



Oo 



^ 



At] 

Ir halt 

^> addl 



f!j^ halt 
us 



user 



/i(x) = /2U)U 



pending: 



pending: 



pending: 



pending: 



ao ^ addl ((ao, 3)) ao ^ addl ((oo, 2» ^^^^ ^"^ ,, ^u "o <- addl ((ao, 1» oo 



ao ^— hal t ((ao, 0)) user ^ 2 ((oo, 3)) 



Oo 

T ' T '/Km 



Oo 

[ ] 
addl 

*r halt 



-I 



\ 



user 




(Continued on next page.) 



Figure 11. /i(_L) for choose. 
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fU-L) = ftU)\J 



'pending: 



ao 
do 



addl((ao,4» 
halt((ao,0>) 




pending: 

00 ^ addl ((oo, 3» 

user <— 3 ((oq, 4)) 




pending: 

user <— 2 ((oq, 3)) 



00 



I 



[ ] 

addl 

addl 

halt 

addl 



pending: 

ao^ addl ((ao,2)) 





'pending: pending: 

ao <- addl ((ao, 5» oo f- addl ({oo, 4)) 

ao <— hal t ((ao, 0}) user +— 4 ((oo, 5)) 

Oo Oq 



M , / 


\ '^ ^ 


addl ^ 


A addl 


addl J" 


. addl 


addl h 


' addl 


addl t 


• / addl 


addl 


• halt 



pending: 

user +— 3 ((oo, 4)) 




pending: 

ao +— addl ((ao, 3)) 





/:a)=/^u)u 



'pending: 

ao <— addl ((ao, 6)) 

ao ^ halt ((ao, 0)) 



Oo 



1 



[ ] 

addl 

addl 

addl 

addl 

addl 

addl 



pending: 

ao +- addl ((oo, 5» 

user +— 5 ((oo, 6)) 



Oo 



C ] 

addl 
addl 
addl 
addl 
addl 
halt 



pending: 

user i— 4 ((ao, 5)) 



00 



[ ] 
addl 

addl 
addl 
addl 
halt 
addl 



pending: 

ao^ addl ((ao, 4)) 




user 




and so on. 



Figure 11. (Continued from previous page.) /!l(_L) for choose. 
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completed (U,v.,/:(-L)) = 



Oo 



z;^ 



[ ] 

halt 



\ 



user 
addl 



Oo 



y) addl 
j >v user 

[ >i 

► addl 





user 



user 





user 



Figure 12. completed ([J^^^ /i (_L)) for choose. 

as the sequence in Figure 13, do not have least upper bounds in D. Had the power domain been 
formed from the w-completion D, the least fixed point would contain an element of D representing a 
nonterminating computation in which an event remains pending forever. 

In tlie existing implementations of Atolia on sequential machines, tire ciioose program always 
produces 0, 1, or 2 when run all by itself. This is allowed by loose nondcterminism: implementations 



115 



pending: 

ao^adcll((ao,0» 
JL < oo ♦- halt ((oo, 0» 



< 



pending: 

ao ^- addl ((oo, 1» 

oo +- halt ((ao,0» 



4 ^^ 

-"f addl 



< 



pending: 

Oo +- addl ((ao,2)) 

00 ^- halt ((ao,0» 



Oo 



2* addl 



addl 



pending: 

Oo ^ addl ((oo, 3)) 

Oo ^ halt ((ao,0» 

< Oo 

[ ] 
addl 
addl 
addl 



I 



< 



pending: 

00+- addl ((ao,4)) 

Oo +- halt ((a(),0» 



00 



2* addl 

2* addl 

> addl 

*•'► addl 



< 



pending: 

Oo ^ addl ((oo, 5)) 

00+-- halt ((ao,0)) 



00 



I 



C 3 

addl 
addl 
addl 
addl 
addl 



< 



Figure 13. A strictly increasing sequence in [Ji^^fiiA-) with no least upper bound. 

are not required to preserve all tlie nondeterminism present in the semantics. 

Even in tlie existing implementations, however, choose can return a result greater than 2 when 
other programs run pseudo-concurrently. Every bound that might be placed on die result can be 
exceeded by placing a sufficiently heavy burden on die Atolia processor. 

IV. 7. Example: Possibly Nonterminating Choice 

Sequential programs with choice points are sometimes used in attempts to model nondetcrminis- 
tic concurrency. Such attempts arc bound to fail since choice nondeterminism is bounded. This 
section shows how arrival nondeterminism can successfully model choice nondeterminism. 

The program below uses an "arrives-first" choice. Its nondeterminism is bounded. 
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(choice-loop = accept [ ] 

send "addl" to choice-loop ; 
send "stop" to choice-loop ; 
become i initially ; 

waiting initially false 

inside 
accept [ msg ] 
if waiting 

then if equal [ msg "stop" ] 

then change i to plus [ i 1 ] ; 
change waiting to false ; 
send "addl" to choice-loop ; 
send "stop" to choice-loop 
else dummy 
else if equal [ msg "addl" ] 

then change waiting to true 
else 
if equal [ msg "stop" ] 
then send i to user ; 

become accept [ ] dummy 
else dummy) 

When actor ao accepts the go message mo, it initializes itself to a state and sends itself both an 

increment instruction and a stop instruction. It obeys whichever instruction arrives first. That is, if 

ciQ is in state i and the stop instruction arrives first, then oo sends i to tlie user and terminates. If the 

increment instmction arrives first, though, then ao waits until the stop instmction arrives. When the 

stop instmction arrives, instead of stopping ao enters state i + 1 and begins the cycle again by sending 

itself both an increment insti'uction and a stop instruction. The initial behavior of oq is b where 
b- mo H-> (6o, {[ao f- addl], [oo ^ stop])) 

bi'. addl (-+ {waiti, ( )) 

stop H-> {passive, {[user +— i])) 

waiti (i S to): stop t-^ (6i_|_i, ([oo <~ addl], [oq ^ stop])) 

passive: m h-> {passive, { )) 

The stages fl (_L) for the function fl associated with tliis program arc shown in Figure 14. The 

least fixed point is shown in Figure 15, and the set of completed elements of the least fixed point 
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/?U) = {-L} 

fi{±) = f.U)U{ 



pending: 

00^ add 1 ((aO)) 

oo ^— stop ((aO)) 



pending: 



;^u)=/;{x)u^ 



pending: 

ao-addl((aO)) 
oo ^ stop ((aO)] ^ ,/ ,.^ 

Oo 



ad!. SlV 

♦^^ stoi 



'pending: pending: 

a<j ^ addl ({a2» oq ^ addl ((aO)) 

Oo <- stop ((a2» Oo 



fiU) = fA±)U{ «o 



<) 



[ ] 

addl 
stop 



ft StO| 



user 




pending: 

user f- ((oo, 1)) 

I r stop 
^» addl 



/^(_L)=:/2(_L)U< 



pending: 

Oo <— stop ((a2)) 

Oo 

[ ] 
addl 



? 



stop 
addl 



(Continued on next page.) 



pending: 

ao^ addl {{a 2)) 

user +— 1 ((oo, 3)) 

Oo 

^o\ addl 
s. stop 
'►*'' stop 



Figure 14. fi{±) for choice- loop. 




user 



'► addl 
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/^{_L) = /^(_L)U< 



fA±) = flU)U{ 



'pending: 

oo^ addl ((a 4)) 

oo ^ stop ({a 4)) 

00 

[ ] 

addl 

stop 

addl 

stop 



pending: 

oq ^ stop ((a 4)) 

00 

[ ] 

addl 

stop 

addl 

stop 

addl 






pending: 

ao ^ addl ((a 2)) 
Oq 
[ ] 



/S L J 
<J addl 

r stop 

'f stop 



user 

pending: 

ao +- addl ((a 4)) 
user +— 2 ((oo, 5)) 
Oq 

[ ] 

addl 

stop 

II 

»P 
stop 



/\ StO| 

^oj add: 
mT stoi 



> 





user 



fl(±) = f.{-L)[J{ 



and so on. 



pending: 

a<) ^ addl ((a 6)) 

Oo ^- stop ((a 6)) 

Oq 

[ ] 
addl 

stop 

addl 

/f\ stop 

^J addl 

1^ stop 



pending: 

Oo <— addl ((a 4)) 

Oo 

[ 3 

addl 
stop 
addl 
stop 
stop 






user 
I 2 



pending: 

user H— 2 ((oo, 5)) 




Figure 14. (Continued from previous page.) fi{±.) for choice- loop. 
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|j/:(-L) = (U/*.(J-))U 



iGw 



JGw 



Oo 



t\ 



[ ] 

addl 
stop 
addl 
stop 
addl 
stop 
addl 
stop 
addl 
stop 



Figure 15. The least fixed point Uie<^/i(-i-) ^^^ choice- loop. 

is shown in Figure 16. There is one element in the least fixed point representing a nonterminating 
computation. Therefore the nondeterminism of the choi ce- 1 oop program is bounded. 

One might argue in defense of choice nondeterminism that if choice probabilities are positive, 
and choices are independent, then programs such as choi ce-1 oop should terminate with probabil- 
ity 1. Equivalcntly tliere should be merge programs that almost always performed a fair merge, in 
the sense that tlie probability of an unfair merge would be zero. Such a program would be good 
enough for engineering purposes. This argument fails because the nondeterminism that appears in 
a programming language semantics is loose nondeterminism. hnplementations are not required to 
preserve all the nondeterminism that is present in tlie semantics. In particular, unplementations are 
free to choose the same alternative in every case, so tliat in some implementations choi ce-1 oop is 
certain not to halt 

IV. 8. Relation to Standard Power Domains. 

Usually in a power domain semantics the least fixed point consists only of completed elements, 
so applying an operation such as "completed" to die least fixed point is unnecessary. It is tempting 
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completed ([J,ec./:(-L)) 



Oo 



9 
'} 



[ ] 
addl 

stop 

addl 

stop 

addl 

stop' 

addl 

stop 

addl 

stop 




user 



o addl 




user 



addl 





user 




Figure 16. completed ([J. ^^ /^JL)) for choice- loop. 
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to sec this as a defect of tlie actor power domain, but the quibble can be met on its own terms by 
the same sort of mathematical sleight of hand that causes least fixed points in other power domains to 
contain only completed elements. For (D, <) a domain, define \hQ frontier of A G Pp] to be 

frontier [A) = {x E A\^y EA x <y =^ x — y}. 

Define the frontier closure^ ^ of AQD tobe 

(frontier (A) if A'' = (frontier (A)Y\ 
A^ = l 

{ A^ otherwise. 

Then define another power domain (F'p], ^') by 

P'[D] = {Af\±EAaD} 

and for a\\B,CEP'[D] 

B^'C <=> B'Q C. 

(P'[D], C') is clearly isomorphic to {P[D], C) \'mA^ ^ A". 

Consistently replacing references to P[D], C, |J. and "^ in §4 by references to F'[D], C', |J'. and 
f defines /, as a continuous function from F'[Dl to P'[D]. Its least fixed point is precisely the set of 
elements of D tliat are complete with respect to the initial behaviors. 

What tlien is the relationship between standard power domains and the power domains used 
here? When D is w-complete, P[D] i^ just the standard power domain of D. Chapter III simply 
extends the standard power domain construction to apply to incomplete domains. This chapter 
illustrates the value of that extension. 

For every domain D die power domain P[D] is isomorphic to the power domain P[D1 of its 
w-completion D. Nonetheless for some domains P[D] can represent unbounded nondeterminism 
while P[D\ cannot, llie key to this seeming paradox is diat die concrete interpretation placed upon 
elements of the power domain is important, llie purpose of taking fixed points in die power domain 

is not to select a member of an abstract algebraic structure but to define a subset ofD. 

^^Ilie frontier closure is a closure operation on the power set of D with respect to the preorders C' and Ci but not 
with respect to CI. 
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Chapter V 



Locality Laws 



The locality laws postulated by Hewitt and Baker enforce the idea that all information flow 
between actors is by means of message passing. As a practical matter, the locality laws rule out side 
effects to shared environments. Furthermore the information contained in a newly created actor's 
environment must be a subset of the information in tlie environment of the actor tliat created it. The 
locality laws state these restrictions in a fairly abstract way. They are independent of the ordering laws 
inasmuch as they ftirther restrict the set of actor event diagrams. 

This chapter extends tlic scmandcs of Chapter IV to deal with actor creation. It gives an example 
of a programming language semantics that violates die locality laws. The chapter closes by suggesting 
tliat the locality laws ought to be verifiable for the formal semantics of tnie actor-based languages. 

V.1. Actor Acquaintances 

In the terminology of programming languages, a procedural object created by associating values 
with the free variables of a syntactic representation of die procedure is called a closure. Closures are 
implemented as a pair of pointers, one pointing to die code to be executed when die closure is invoked 
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and the other pointing to the environment in which the procedure was closed. The environment 
supplies values for the free variables. 

Actors are analogous to closures. A difference between actors and the objects usually called 
closures is tliat closures can share environments, causing side effects when one closure changes the 
environment of another closure. An actor amounts to a closure whose environment is protected from 
such side effects. 

Just as a closure consists of code and an environment, an actor consists of a script and a vector 
of acquaintances. The script is simply the code for the actor. The vector of acquaintances provides an 
environment in which the script is evaluated when the actor accepts a message. An actor's vector of 
acquaintances can be altered only by that actor. 

The vector of acquaintances may contain pointers to other actors. While the pointers themselves 
cannot be side effected, die behaviors of the actors pointed to can change when those actors process 
messages sent to them. The vector of acquaintances tlierefore provides only one level of protection 
against side effects. 

An actor's vector of acquaintances may contain values other than pointers to other actors, or it 
may consist solely of pointers. In either case the actors that it points to are called acquaintances of 
the actor. An actor may alter its vector of acquaintances while processing a message, so its set of 
acquaintances may change over time. 

V.2. Actor Creation 

In statically scoped languages such as Algol and Scheme^ closures are created by evaluating a 
procedure abstraction. The environment in effect when the abstraction is evaluated becomes die 
environment associated with the closure. In actor-based languages actors are created by evaluating a 
behavior abstraction. The identifier bindings in effect when the abstraction is evaluated are gathered 
together into a vector of acquaintances. If need be, bindings arc copied to protect tiiem against side 

effects. 

'Guy Ixwis Steele Jr and Gerald Jay Sussman, "The revised report on Scheme: a dialect of Lisp", MIT Artificial 
Intelligence Memo 452, January 1978. 
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user 




Figure 1. Recursive computation of 4!. 



Consider tlie following subprogram, which computes tlie factorial function. 



(factorial = accept [ continuation n ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send 1 to continuation 
else (create ((mul tiply-by-n 

= accept [ X ] 

send times [ n x ] to continuation)) 
send [ multiply-by-n (minus [ n 1 ]) ] 
to factorial)) 



The toy language in which this subprogram is written was designed to make actor creation explicit. If 
diis subprogram is sent die message 

[ user 4 ] 
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it will create three new actors, ai, tt2, and 03, before ttic result, 24, arrives at tlie user actor. Actor 
fli is created as a result of die first event in die arrival ordering of facto ri al, 02 is created as a 
result of die second event, and 03 is created as a result of die third event. The event diagram for the 
computation is shown in Figure 1. 

The three created actors share the script 

accept [ X ] 

send times [ n x ] to continuation 

This script has two free identifiers, n and continuation. When factorial accepts the 
message [ user 4 ],it binds continuation to user and n to 4, and diose are the bindings in 
eflxjct when die c reate command is first encountered, so die vector of acquaintances for ai is 

identifier value 
n 4 
continuation • ^ user 

factorial then sends itself die message [ ai 3 ], so die vector of acquaintances for 02 is 

idenUfier value 
n 3 
continuation • >ai 

The last actor to be created is created while n is bound to 2 and continuation is bound to 02, 
so the vector of acquaintances for as is 

idendfier value 
n 2 
continuation • > 02 

These vectors of acquaintances may be kept on a stack in a sequential implcmentadon. They are 
part of the actor conceptually, however. 
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The distinction between iterative and recursive programs can be easily expressed in the actor 
model: iterative programs do not create any new actors.^ The following tail-recursive program, for 
example, is iterative. 



(factorial = accept [ continuation n ] 

send [ continuation n 1 ] to loop) 

(loop = accept [ continuation n product ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send product to continuation 
else send [ continuation 

(minus [ n 1 ]) 
(times [ n product ]) ] 
to loop) 



The actors created by the recursive version of factorial never change their vectors of ac- 
quaintances. For an example of an actor that changes its vector of acquaintances, consider tlie 1 cop 
program of §IV.5: 



(loop = accept [ ] 

send "addl" to loop ; 
become i initially 
inside 
accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 

send "addl" to loop 
else 
if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy). 



Its vector of acquaintances starts out with two entries, one of which points to 1 oop itself. 

^Carl Hewitt, "Viewing control structure as patterns of passing messages", Artificial Intelligence 8, 1977, pages 323-363. 
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identifier value 
loop • > loop 
user • ^ user 



Upon accepting its first message loop adopts a new behavior, differing in botti tlie script and in the 
vector of acquaintances: 

identifier value 
i 

loop • > loop 

user • > user 

It then proceeds to increase the value of i each time it accepts an addl message. 

V.3. Locality Laws Add Power 

Hewitt and Baker^ have proposed locality laws stating reasonable restrictions on die set of ac- 
quaintances of an actor and reladng acquaintances to actor event diagrams. This section gives a 
variant of die locality laws and shows diat adding die locality laws to die ordering laws considered in 
Chapter II gives a more powerful dieory. 

To the structure 

(E, A, T, —ad-*, Arr) 

considered in Chapter II and consisting of die set of events, die set of actors, the target function, the 
activation ordering, and the set of arrival orderings, add direc new objects acq, Aq, and creation to 
obtain a structure 

(E, A, T, — act—*, Arr, acq, Aq, creation). 

acq is a fijnction: E -+ subsets (A) giving for each event e the set of acquaintances of T(e) at die 

time of the event e. Intuitively acq{e) is die set of actors diat the target of e already knew about 

■^"Laws for communicating parallel processes", lI"IP-77, Toronto, August 1977, pages 987-992, and "Actors and continuous 
functionals", ll'Il' Working Conference on Formal Description of Programming Concepts, St Andrews, New Biunswick, 
Canada, August 1977, 16.1-16.21. 
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when it accepted tlie message of e. Aq is the set of primeval actors, the set of actors that exist when 
computation begins. Thus Aq is a finite subset of A. creation is a function: (A — Aq) — ^ E giving for 
each actor created in the course of computation the event that caused its creation. 

Hewitt and Balcer stated the locality laws in terms of a fourth new object, the participants in an 
event. The participants in an event are those actors that the target of the event knows about while 
processing the message of tlie event. The participants are thus the acquaintances of die target together 
with the actors mentioned by the message. 

For an external event, the message can mention an arbitrary finite set of actors, so there is no 
restriction on the participants of an external event except that diey form a finite set.'^ For events that 
are not external, though, the participants must come from among the acquaintances of the target of 
the event, the actors created by the event, and tlie participants in the activator of the event. 

Rather than introduce the participants fimction into the staicture, this section treats it like 
global time and simply asserts the existence of a function with die required properties. The locality 
laws dien become 

Law of Finite Acquaintances. acq{e) is finite for every e G E. 

Existence of Participants Function. There exists a fiinction participants: E -+ subsets{k) 
satisfying the following laws. 

Finite Interaction Law. participants (e) is finite for every e G E. 

Let created (e) = { a E A — Aq | creation (a) = e }. 

Original Acquaintances Law. If a is a created actor, that is, a ^ Aq. ande is the first event in the 
arrival ordering of a, then 

(^^Q (^) ^ participants [creation (a)) M created [creation (a)). 
'^Perhaps Iherc should be a rcsUiction tliat the message of an external event can mention only primeval actors. 
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Arrival Precursor Acquaintances Law. If a = ^(e) ande has an immediate predecessor ^ in the 
arrival ordering of a, that is, ^ — arva-^ e and->3^' ef — arVa—* e" — arVa—*^ e, then 

acq (e) C participants (e^) M created [ef). 



If e E E is not external, then let activator (e) be the activator of e, that is, the unique immediate 
predecessor of e in the activation ordering — act—^. 

Activator Acquaintances Law. Ife E^ is not external then 

T (e) E participants [activator (e)) M created [activator (e)) 

participants (e) C acq (e) M participants [activator (e)) M created [activator (e)). 



The second half of the last law differs somewhat from Hewitt and Baker's formulation. 

The first half of die Activator Acquaintances Law relates the locality laws to the actor event 
diagrams. Adding the locality laws to the ordering laws produces a more powerful theory, as shown by 
die following actor event diagram which satisfies all the ordering laws of Chapter II but is ruled out by 
tlie locality laws. 

The actor event diagram is shown in Figure 2. The idea is that two actors a and a' never com- 
municate with each other, so diey can have only a finite amount of information in common, but each 
sends messages to the same infinite set of actors. That cannot be, because Uiere is no way the same 
infinite set of pointers to actors can pass through both of a and a!. 

Formally the actor event diagram of Figure 2 is described by the structure 

(E, A, T, — ad->, Arr) 
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Figure 2. An actor event diagram that violates the locality laws. 

where 

^ = {e,e'}[J{ei\ieto}\J{^,\iGuj} 

A = {a,a'}(J{aj | i G w} 
T{e) = a 
T{^) = a' 

€{ — arVu.-^ ^- for all i E c«; 
e, e' are external events 

e — act—>^ Ci for all i G w 

e' —act—* e^ for all i E(jo 

This structure satisfies the ordering laws of Chapter II, yet there is no way to extend it to a stmcture 

(E, A, T, — act—*, Arr, acq, Aq, creation) 

satisfying the locality laws. Proof: suppose there were such an extension, with a given participants 
function satisfying the locality laws. Then participants (e) and participants [e') are both finite, 
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so their union is also finite. Let n G ct; be such that a„ is not in their union, e and ^ are the 
only external events, so the Activator Acquaintances Law applies at both e^ and ^^. Furthermore 
e = activator {e-r^ and e' == activator {^^. Hence creation{ay^ ■= e and creation {an) = e', a 
contradiction. 

This actor event diagram can be modified so that there is only one external event and no event 
activates infinitely many events, and a similar proof will still go through. 

§11.7 showed that the ordering laws were independent of the locality laws. This section has 
returned the favor by showing tiiat the locality laws are independent of die ordering laws. 



V.4. Semantics with Actor Creation 

Chapter IV gave a power domain semantics for actor-based languages without actor creadon. 
This section extends die semantics of Chapter IV to permit actors to be created during die course of 
computation. 

The concept of programming language semantics that has die most to do with the technical 

adjustments in this secdon is the concept of a store. Usually a store is a mapping from locadons 

to stored values. Here it will be a mapping from actor names, or network addresses, to behaviors. 

Usually updated versions of the store are passed from semandc function to semantic function. Here 

and in Chapter IV the original store is passed together with enough history to reconstruct the updated 

store. Usually the quesUon of exacdy which unused locaUon is pressed into service when a new object 

is created is left unanswered by programming language semanticists. On this qucsdon, and often on 

this quesdon only, semanticists usually resort to axioms rather dian give a concrete denotadon.-^ Here 

a concrete answer will be given to the quesdon of which unused actor name should be allocated to 

a new actor. However, the set of actor names will not bear any resemblance to the space of network 

addresses for real machines. The correspondence between actor names and network addresses is to be 

determined by die storage management module in real implementations. 

^Scc for example the discussion of new m §J.4.2 of Milne and Strachey, A Theory of Programming Language Semantics, 
Chapman and Hall, lx)ndon, 1976. 
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The semantics given in §IV.4 begins by assuming a flinction 

^{Q):^ -^ F 

giving the initial behavior of each actor. The obvious way to extend the semantics to deal with actor 
creation is to let ^ (Q) specify only die behaviors of primeval actors and to let the semantics keep 
track of the behavior of a created actor beginning with the time of its creation. This approach is 
sound, would work, and is the approach usually taken, but it would require significant revisions to the 
power domain semantics of Chapter IV. The revisions would be necessary because of a shortcut that 
was taken to simplify the semandcs. The semantics in Chapter IV does not associate a mapping from 
actors to current behaviors with each event diagram. Rather it computes current behaviors from the 
initial behaviors and tiie initial history provided by an event diagram. 

Tliis section instead makes ^ (Q): A — ^ F give die initial behavior of every actor, primeval 
and created alike, that could possibly exist during a computation. That is accomplished through the 
inelegant technical trick of coding within the name of each created actor a pointer to its creation 
event. Indeed a created actor's name will include the entire local history of the actor that created it, 
up to and including its creation event. To be specific, the set of actor names is defined by the reflexive 
domain equation 

A = { user } + ( { program }xN) + ((AxM'*")xN) 

where user and program are distinct atomic symbols, N is tlie flat domain of natural numbers, and 
M"*" is the domain of nonempty sequences of messages. The interpretation of the actor names is as 
follows. 

user is one of the primeval actors. It is meant to denote a terminal, file, or operating system 
through which programs can connnunicate results to dieir user. 

{program, 0) is the first actor declared in a program, so it too is a primeval actor. In general 
(program, v) is the {y -\- l)th of the primeval actors declared in a program. All actors of the form 
{program, i') arc primeval if tiiey exist. 

{{a,fj,*),i^) is the name of the {u -|- l)di actor created as a result of the nth event in the arrival 
ordering of a, where n is the length of the sequence /-t*. The ith element of ^t* is the message of the 
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i\h event in the arrival ordering of a. Thus ju* codes die local history of q diat led to die creation of 
({a, /i*), i/). Note that if q is itself a created actor dien die name 'q' points to its creation event, and so 
on. In this way every actor name traces history all die way back to a primeval actor, making possible 
an inducdve defmidon of ^ (Q) with the primeval actors as the basis for die inducdon. 
Recall that in §IV.2 die behavior domain was defined via the equadon 

F = M -^ (F X (A X M)*) 

so a behavior was a fimction from messages to pairs consisdng of a new behavior and a finite sequence 
of messages sent to target actors. Allowing actors to create a finite number of new actors upon 
accepdng a message causes die behavior domain to become 

F = M -^ G -4 (F X (A X M)* X F*) 

where an element of F* is a finite sequence of behaviors — the inidal behaviors of the created actors. 
An element of G is an actor name generator producing die names to be given to die actors created in 
an event, llie domain G is defined by 

G = A X G. 

The only changes diat need to be made to §IV.4 to accomodate actor creadon are caused by 
die addition of actor name generators to the behavior domain equation. The semandcs must supply 
behaviors with both a message and die correct actor name generator. 

The definidon in §IV.4 of the successive behaviors of an actor a must be changed to 

b{a,0) = ^{Q)a 
b{a,n-\- 1) = next [b (a, n) [M {(a, n))) 7n+i) 

where 7n+i is the actor name generator producing die new actor names 

((a,/.*),0), ({a,/i*>,l), ((a,M*>,2>, .... 
Here /i* is a list of the first n + 1 messages to arrive at a. Thus 

7„_^i == gamma {{a, history [a, n + 1)}) 
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where gamma is as defined in tlie appendix and /if siory is defined by 

history (a, 0) = { ) 
history {a, n + 1) = [history [a, n)) § (M ((a, n))) 

where § indicates concatenation of sequences. 

In the definition of ^ (_L) in §IV.4 the pending events P must be changed to 

P = pend [9 [Q) ao mo 7) X { (oq, 0> }, 

where 

7 = gamma ((oq, {mo))) 

while in the definition of a: (a, m, e) the pending events P' must be changed to 

P' = [P — { {{a, m), e) }) H-j(pend [behavior (a) m 7) X { (a, n) }) 

where 

7 = gamma [{a, [history [a, n)) § (m)))). 

In the definitions of augmented actor event diagrams consistent with respect to the initial behaviors 
and complete with respect to the initial behaviors die left hand side of the main equation must be 
changed from 

pend [b [a, n) [M (e))) 



to 



where 



pend [b [a, n) [M (e)) 7) 



7 =^ gamma [{a, history [a, n -|- I)))- 

The theorems of §IV.4 are unaffected by tlicse technical changes. The changes make possible 
a definition of ^ (Q): A — > F giving an initial behavior for all actors that could possibly be created 
during computation. The appendix contains the details. 



135 



By way of apology I would like to quote Milne and Strachey:^ 



In situations where any one of a large number of models is equally satisfac- 
tory it might well seem better to give a set of axioms which all the models 
need to satisfy and to refrain from making the extra and arbitrary choices any 
particular model involves. We shall not adopt this course, because the use of 
a particular model allows us to give our results a more concrete form and, we 
think, improves the inteUigibility of an already complex subject. 

Readers who feel that the treatment of actor names in this section is a counterexample to that argu- 
ment have my sympathy. 



V.5. A Toy Language 

A dissertation on defining the semantics of actor-based programming languages ought to define 
the semantics of an actor-based programming language. The appendix presents the semantics of a toy 
language illustrating actors, culminating in a fiinction 

9: Act -^ (A -^ F) 

giving for each program in Act an assignment of initial behaviors to actors. At that point the power 
domain semantics of Chapter IV takes over. 

The toy language presented in die appendix, dubbed Atolia for ease of reference, was designed 
expressly to illustrate this dissertation. It is a horrid programming language, as the sample programs in 
tlie appendix demonstrate. The one thing Atolia does well is reflect the semantics of message passing 
and actor creation. 

An interpreter for Atolia programs has been written in Lisp for the DEC PDP-10 and the Lisp 
Machines at the MIT Artificial Intelligence Laboratory. The interpreter normally runs programs 
pscudo-concurrently and is nondcterministic. Efficiency was not a concern when the interpreter was 
built. Comparisons made on the PDP-10 show that Atolia programs nin three to seven times slower 
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than comparable Scheme^ programs. Implementation and testing of the interpreter took ten person- 
days. The Atolia programs contained in this dissertation were tested using the interpreter. 



V.6. The Locality Laws may not Hold 

Do the locality laws hold for Atolia? The semantic definition of Atolia given in the appendix does 
not answer that question because the definition is incomplete. The semantic ftmction 

O:0pr -^ V -^ V 

giving tlie meaning of primitive operators is not defined. If Atolia has sufficiently strange primitive 
operators, tlien the locality laws do not hold. Let oq, oi, a2, . . . be distinct actors, and consider the 
function strange: V -+ V defined by 

(oq in M if e = true in V; 

strange{e) = < aj+i in V if e = a^ in V; 
\e otherwise 

where [a in V) is the injection of a into tlie domain V. If Atolia contains a primitive operator 
strange such that 

[strangej = strange 

then die locality laws do not hold. The reason is die primidve operator strange makes it possible 
for an actor to send messages to an infinite set of actors without ever creating an actor or accepting a 
message from any actor other than itself. Consider the program 



^Guy Lewis Steele Jr and Gerald Jay Sussman, "The revised report on Scheme: a dialect of Lisp", MIT Artificial 
hitelligence fvlcmo 452, January 1978. 
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(startup = accept [ ] 

send strange( true) to A ; 
send strange( true) to B) 

(A = accept [ actor ] 

send "greetings" to actor ; 
send strange(actor) to A) 

(B = accept [ actor ] 

send "greetings" to actor ; 
send strange(actor) to B) 



This program does not heed the locality laws. The actor event diagrams that correspond to its com- 
putations resemble the actor event diagram proved in §3 to violate the locality laws. 

The effect of the locality laws is to rule out such strange primitive operators. To put it differently, 
die locality laws call on a semantics to account for such operators in terms of message passing and 
actor creation so that they no longer appear as primitives. The point is that the locality laws do not 
automatically hold for a programming language semantics. A semanucs for which die locality laws fail 
may be perfecUy acceptable for some purposes, but it is not a true actor semantics. 

V.7. The Locality Laws may be Provable 

The previous secdon showed diat if the primiuve operators of Atolia are ill behaved, then die 
locality laws do not hold. If on the other hand the primitive operators are well behaved, then the 
locality laws do hold for Atolia. 

This claim has die status of a conjecture rather than a proved dieorem. Its proof would involve 
a stmctural induction encompassing every semantic equation in the appendix, and that staictural 
induction has not been carried out. Nonetheless a compelling plausibility arguement can be based on 
a simple inspection of those equadons. 

The value domain of Atolia is 

V = T + N + R + H* + A + V* 
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where A is the domain of actors, V* is the domain of sequences of values, and the other domains are 
basic domains not involving actors.^ Define the set of actors embedded in a value e G V as s (e) where 



sie) = { 



\ ^ 


if e E T; 







ifeEN; 







if e E R; 







ifeEH*; 




{a} 


ifdE Aande | A = a; 







ifeEV*and6| V* = ( >; 




.ULo^N 


ifeEV*ande| V* = {eo,.. 


.,€n> 



(Here e | D is the projection of 6 to the domain D.) A primitive operator O E Op r is well behaved iff 
for all e G V 

s{OlO}e)Qs{e) 

so that applying the operator to a value produces a result value embedding only actors that were 
already present in the argument value. If every Atolia operator is well behaved in this sense, then the 
locality laws hold. 

Idea of proof: it should be clear how to define the primeval actors Aq and the creation function 
creation for a computation performed by an Atolia program. There are several ways to define tlie 
acquaintiinces function acq. The simplest way is to define 

acqie)= [j s{pm) 
iGlde 

where p is the environment giving the values of identifiers appearing in the script of T(e) at the time 
of the event e. An alternative is to take the union only over those identifiers appearing free in the 
script of T(e). Both definitions serve die purpose. From either one a participants function can be 
defined by 



participants (e) = < 

[^ac 



ife is external; 
acq (e) \J participants (e') |J created [e') ife' = activator (e). 



^In Acll the value domain is V = A because everything is an actor. Actl does not have primitive operators, but has 
primitive actors, which Atolia docs not have. With a few changes mandated by those diflcrences the remarks of this 
section would apply equally to proving the locality laws for Actl. 
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participants (e) is thus the set of all actor names tliat could possibly be accessible to the target of e 
while it is processing the message of e. Defining participants (e) == acq (e) for external events works 
only because the single external event of an Atolia computation mentions no actors. If the message 
of an external event could mention actors, then those actors would have to be included among the 
participants. 

The second half of the Activator Acquaintances Law is immediate from the definition of 
participants. 

Since only finitely many identifiers are bound in the initial environment, the identifier binding 
mechanisms of Atolia bind only finitely many idendfiers at a time, and Atoha scripts always terminate, 
only finitely many idendfiers can become bound as the result of an event. Furthermore created (e) is 
always finite. An induction on the number of predecessors of an event in the combined ordering thus 
proves both tlie Law of Finite Acquaintances and the Finite Interaction Law. 

Yet to be established arc die Original Acquaintances Law, the Arrival Precursors Acquaintances 
Law, and the first half of die Activator Acquaintances Law. These are die nontrivial locality laws. 
They all depend upon the idea that the only way an actor name can become known to an actor a is by 
being present in the environment prevaihng when a is created, by being part of a message sent to a, or 
by being die name of an actor created by a. Proving die locality laws for Atolia amounts to verifying 
this idea from the semantic equations given in die appendix. 

Inspection reveals that the only possible problem is the primitive operators. So long as they are 
v/ell behaved, diough, an actor cannot use them to come up with any new actor names diat die actor 
doesn't already know about. If the primitive operators are well behaved, therefore, the locality laws 
hold. 



140 



Chapter VI 



Conclusion 



This thesis has set forth the foundations of a theory of semantics for nondeteiTninistic program- 
ming languages based on the actor model of concurrent computation. To that end, the tliesis has given 
a precise account of the actor model. It has justified tlie ordering laws using a notion of global time 
realizability. It has demonstrated a constraining effect of the locality laws. It has analyzed notions of 
concurrency and nondcterminism. It has extended a standard power domain constaiction to apply to 
incomplete domains, and has used that extension to define a power domain semantics for actor-based 
languages. 

The actor semantics presented in this thesis is not very abstract because the event diagrams 
contain far too much operational information for most purposes. For example, the Atolia program 



(f = accept [ ] send [ ] to g) 
(g = accept [ ] send to user) 
(h = accept [ ] dummy) 



does not have the same meaning as 
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(f = accept [ ] send [ ] to g) 

(h - accept [ ] dummy) 

(g = accept [ ] send to user) 

because the second actor to be declared receives a message in the first program but not in the second. 
This is analogous to a problem that arises in standard semantics when two programs that are intui- 
tively equivalent turn out to have different meanings because they use storage in slightly different 
ways.^ In standard semantics die problem is made much less severe by concentrating on the final 
output of a program. In actor semantics it is not clear what should be considered die final output, 
though often the only thing of importance is the arrival ordering of a particular actor such as user. 
This matter deserves further attention. 

The semantics presented in this thesis needs to be extended to other kinds of actors besides 
primitive serializers. One goal of this extension should be to make it possible to regard a complex 
system of actors as a single actor. 

The technique of building power domains from incomplete domains is not limited to actor 
semantics. A fair power domain semantics for dual processors communicating via shared memory 
can also be constmcted using diis technique. I conjecture that an incomplete history domain could 
be used to construct a fair power domain semantics for the language of Communicating Sequential 
Processes. 

The power domains with incomplete underlying domains that have so far occurred to me seem 
unpleasantly operational, but tiie real limitations of the idea are not yet known. 

The category of (possibly incomplete) domains and cu-continuous maps as defined in Chapter III 
is closed with respect to the usual domain constmctors +, x, *, — >, and die power domain construc- 
tion P[ ' ] of Chapter III. A theorem stating conditions under which reflexive domain equations have 
solutions in tiiat category would be very useful. 



^See §4.1.1 of Robert Milne and Christopher Strachey, A Theory of Programming Language Semantics, Chapman and 
Hall. London, 1976. 
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Appendix I 



Atolia: Informal Description 



This appendix describes tlie abstract syntax and informal semantics of a toy language illustrating 
actors. 
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Atolia 

(a toy language illustrating actors) 

Version 



Syntactic domains 

IG Ide 
Be Bas 
Oe Opr 
EG Exp 
TG Com 
$ G Abs 
A G Dec 
EG Act 



identifiers 

bases 

operators 

expressions 

commands 

abstractions (scripts) 

local declarations 

actor script declarations 



Productions 

E ::= B I OE I I I [Eq- • •£„] 

I if Eo then Ei else E2 | (E) 

r ::= dummy | change I to E | become $ | send Eq to Ei 

I create (E) T \ Fq; Ei | if E then Fq else Fi | (F) 

^ ::= accept [lo -In] T | A inside <I> | if E then $0 else <^i | (<l>) 

A ::= 1 initially E | I = E | Ao; Ai | (A) 

E ::= (I = ^) I ^0 Si 



144 



Expressions 

Bases 
B 

The bases are the constants and literals, such as the booleans true and f a1 se, the numerals 
representing integers such as and 1, representations for whatever other number types are needed, 
and character strings such as "this is a string". They evaluate to the basic values of the 
machine. 

Operator applications 
OE 

An operator application consists of an operator followed by an expression. To simplify the 
language, all operators take exactly one argument, but the effect of two or more arguments can be 
obtained by using a sequence as the argument. The expression is evaluated and fed to tlie operator, 
which returns a single result value. As is die case for all Atolia expressions, there are no side effects. 

Among the operators are predicates and functions such as equal, actor p, plus, and times. 
The operators of Atolia are fixed by the language; users cannot define additional operators. 

Idendfiers 
I 

An identifier denotes a basic value, an actor, or a sequence of denoted values. In other words, an 
identifier can denote die result of any Atolia expression. Identifiers are bound by local declarations, 
by die patterns of accept statements, and by actor script declarations. 



145 



Sequences 
[Eo -E,] 

A list of expressions in brackets indicates a sequence of values. Since sequences are themselves 
expressions, sequences may be nested. 

Conditional expressions 
if Eo then Ei else E2 

The expression in tlie predicate position must evaluate to a boolean value. If it evaluates to true, 
the expression following the then is evaluated and becomes the value of the conditional expression; 
otherwise the expression following the el se is evaluated and becomes the value of the expression. As 
with all expressions in Atolia, the predicate expression has no side effects. 

Parenthesized expressions 
(E) 

Parentheses arc ignored by the semantic equations. They appear in tlie abstract syntax to allow 
syntactically unambiguous programs to be written. 
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Commands 

Dummy commands 
dummy 

The dummy command has no effect. 

Assignments 
change I to E 

The change command causes the identifier to denote a new value. The identifier being 
changed must be mutable; in other words, it must have been declared by a declaration of the form I 
initial ly E. 

New behaviors 
become <l> 

Tlie become command specifies a new behavior for the actor, to become effective when the 
actor unlocks. Only a subsequent become command can override the newly specified behavior. The 
free identifiers of <E> are bound to the values they denote when the become command is executed. 
Identifiers tliat are mutable at die time of the become command remain mutiible in 4> unless 
rcdeclared or bound. 

1'ransmissions 
send Eo to Ei 

The send command evaluates expression Eo and sends tlie result as a message to the actor 
specified by Ei. Ei must evaluate to an actor, of course. 

Actor creations 
create (E) T 

The create command is similar to the letrec expression of ISWIM and the 1 abel s expres- 
sion of Scheme. It permits the creation of mutually recursive actors. First the identifiers denoting 
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the newly created actors are bound to their newly allocated network addresses. Then the behaviors 
of die new actors are fixed by binding the free variables of Uieir scripts in the resulting environment. 
The new actors are not permitted to change die state variables of dieir creating actor, however, nor do 
subsequent changes by their creadng actor affect die values of identifiers in the new actors. Then die 
creating actor executes a command before discarding die environment diat contains the addresses of 
die new actors. The command may send messages to die new actors or may change a state variable to 
remember some of them as new acquaintances; diere is no point to a create command of die form 
(create (S) dummy). 

Sequencing 

To; l\ 

To is executed, followed by Fi. Atolia has no gotos or other sequencers diat could alter die 
sequential order of execution. 

Conditional commands 
if E then To else Ti 

The expression must evaluate to a boolean. If the result is true, To is executed; otherwise Fi is 
executed. The evaluation of die predicate expression has no side effects. 

Parenthesized commands 
(F) 

Parentheses are ignored. 
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Abstractions (Scripts) 

Accept statements 
accept [lo-In] r 

The accept statement specifies a behavior. In Lisp terms, it is a lambda expression that 
evaluates to a closure when it is encountered as part of an actor script declaration or become state- 
ment. When the actor whose behavior it specifies first receives a message, it locks, binds identifiers lo 
through I„ to components of the message, executes the command F, and then unlocks. The command 
r may cause messages to be sent and/or actors to be created. F also determines a new behavior for 
the actor. If executing F does not result in executing any become or change commands, the new 
behavior is the same as the old. If become commands are encountered, the last one determines the 
new behavior of the actor, change commands can alter the behavior of an actor by changing the 
values of mutable identifiers. 

The identifiers bind to message components as follows. Usually the message is a sequence, in 
which case the elements of the message pair one-for-one with the corresponding identifiers, proceed- 
ing from left to right. If the message sequence is longer than the list of identifiers, the extra message 
components are ignored. If the fist of identifiers is longer, the extra identifiers bind to the empty 
sequence. If tlie message is not a sequence, every identifier in the identifier list binds to the value 
of the message. If the identifier list is empty, no identifiers are bound and tlie message acts only to 
initiate execution of the command F. The exact manner in which the identifiers are bound to the 
message components is to a great extent arbitrary, of course. The language Actl, on which Atolia is 
based, uses a considerably more sophisticated matcher. 

Abstractions governed by local declarations 
A inside $ 

The purpose of a local declaration is to bind identifiers referred to inside an abstraction. 
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Conditional abstractions 
if E then $o else $i 

The expression must evaluate to a boolean. If the result is true, tlien ^o is the abstraction to be 
used. Otherwise <I>i is used. 

Parentliesized abstractions 
($) 

Parentheses are ignored. 
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Local Declarations 

Mutable declarations 
I initially E 

The expression is evaliuUed and bound as the value of the identifier. 

Identifiers declared using i n i t i al 1 y are similar to "own" variables bound at declaration time. 
They are state variables of the actor whose abstraction contains their declaration. Only that actor can 
alter them by change commands. When new actors are created, the new actors' scripts may refer to 
state variables of the creating actor, but the value denoted by those references is fixed as the value 
of the state variables at the time of the created actors' declarations. Not only can the created actor 
not change them, but subsequent changes by the creating actor do not affect the value seen by the 
created actor. 

Immutable declarations 
I = E 

Identifiers declared in this way cannot be altered except by being bound in a subsequent local 
declaration, accept statement, or actor script declaration. 

Sequencing of declarations 
Aq; Al 

Ao is evaluated, followed by Ai. 

Parenthesized declarations 
(A) 

Parentheses are ignored. 
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Actor Script Declarations 

Script declaration 
(I = $) 

The purpose of a script declaration is to bind an identifier I to a new actor whose initial behavior 
is given by $. See the create command. 

Sequences of script declarations 
So El 

The order of script declarations is irrelevant (except when the same identifier is used twice, in 
which case the compiler ought to warn the programmer). See the c reat e command. 



Programs 

An Atolia program is an actor script declaration. The program will be started by sending an 
empty message to the first actor declared in the program. The program may request input from and 
send output to a special actor denoted by user in the initial environment. The actor denoted by 
user may be a terminal, a file, or an operating system. 
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Appendix II 



Atolia: Sample Programs 



Iterative (tail recursive) factorial subprogram: 

(factorial = accept [continuation n ■] 

send [ continuation n 1 ] to loop) 

(loop = accept [ continuation n product ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 

then send product to continuation 
else send [ continuation 

(minus [ n 1 ]) 

(times [ n product ]) ] 
to loop) 



Recursive factorial subprogram: 

(factorial = accept [ continuation n ] 

if or [ (lessp [ n 1 ]) (equal [ n 1 ]) ] 
then send 1 to continuation 
else (create ((mul tiply-by-n 

= accept C X ] 

send times [ n x ] to continuation)) 
send [ mul tiply-by-n (minus [ n 1 ]) ] 
to factorial)) 
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A subprogram that creates instances of queues: 

(create-queue 

- accept [ continuation ] 
create ((queue 

= q initially [ ] 
inside 

accept [ c op X ] 
if equal [ op "empty?" ] 

then send equal [ q [ ] ] to c 
else 
if equal [ op "length" ] 
then send length(q) to c 
else 
if equal [ op "head" ] 

then send if equal [ q [ ] ] 

then "error -- empty queue has no head" 
else first(q) 
to c 
else 
if equal [ op "enque" ] 

then change q to append [ q [ x ] ] ; 

send "ok" to c 
else 
if equal [ op "deque" ] 
then if equal [ q [ ] ] 

then send "error -- can't deque an empty queue" 

to c 
else change q to rest(q) ; 
send "ok" to c 
else 
send "error -- unrecognized operation on queue" to c)) 
send queue to continuation) 
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A program to calculate and print the prime numbers 
using a parallel version of the Sieve of Eratosthenes: 

(print-primes = accept [ go ] 

send [ print-primes "request" ] to sieve ; 
become 

accept [ c r prime ] 
if print (prime) 

then send [ print-primes "request" ] to sieve 
else dummy) 

(integers = n initially 2 
inside 
accept [ c request ] 
send [ integers "reply" n ] to c ; 
change n to plus [ n 1 ]) 

(sieve » 

generator initially integers ; 
waiting-consumer initially [ ] 

inside 
accept [ c r prime ] 
if equal [ r "request" ] 

then change waiting-consumer to c ; 

send [ sieve "request" ] to generator 
else 
if equal [ r "reply" ] 

then send [ sieve "reply" prime ] to waiting-consumer ; 
(create ((filter » 

waiting-consumer initially [ ] ; 
candidate initially ; 
multiple initially prime 

inside 
accept [ c r n ] 
if equal [ r "reply" ] 

then if lessp [ multiple n ] 
then change multiple 

to plus [ multiple prime ] ; 
send [ c r n ] to filter 
else 
if equal [ multiple n ] 

then send [ filter "request" ] to generator 
else 
if lessp [ n multiple ] 

then if equal [ waiting-consumer [ ] ] 
then change candidate to n 
else send [ filter "reply" n ] 
to waiting-consumer ; 
change waiting-consumer to [ ] 
send [ filter "request" ] 
to generator 
else dummy 
else 
if equal [ r "request" ] 

then if equal [ candidate ] 

then change waiting-consumer to c 
else send [ filter "reply" candidate ] to c 
change candidate to ; 
send [ filter "request" ] to generator 
else dummy)) 
send [ filter "request" ] to generator ; 
change generator to filter) 
else dummy) 
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A subprogram that acts as a stack: 

(stack = elements initially [ ] 
inside 
accept [ continuation op x ] 
if equal [ op "push" ] 

then change elements to [ x elements ] ; 

send "pushed" to continuation 
else 
if equal [ op "pop" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else change elements to second(elements) ; 
send "popped" to continuation) 
else 
if equal [ op "top" ] 
then 

(if equal [ elements [ ] ] 

then send "error -- stack empty" to continuation 
else send f irst(elements) to continuation) 
else 
if equal [ op "empty?" ] 

then send equal [ elements [ ] ] to continuation 
else 
send "error -- undefined operation on stack" to continuation) 
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The LOOP program of Chapter IV: 

(loop = accept [ ] 

send "addl" to loop ; 
become i initially 
inside 
accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 

send "addl" to loop 
else 
if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 



The unboundedly nondeterministic CHOOSE program of Chapter IV: 

(choose = accept [ ] 

send "addl" to choose ; 
send "halt" to choose ; 
become i initially 
inside 
accept [ msg ] 
if equal [ msg "addl" ] 

then change i to plus [ i 1 ] ; 

send "addl" to choose 
el se 
if equal [ msg "halt" ] 

then send i to user ; become accept [ ] dummy 
else dummy) 



The possibly nonterminating CHOICE-LOOP program of Chapter IV: 

(choice-loop = accept [ ] 

send "addl" to choice-loop ; 
send "stop" to choice-loop ; 
become i initially ; 

waiting initially false 

inside 
accept [ msg ] 
if waiting 

then if equal [ msg "stop" ] 

then change i to plus [ i 1 ] ; 
change waiting to false ; 
send "addl" to choice-loop 
send "stop" to choice-loop 
else dummy 
else if equal [ msg "addl" ] 

then change waiting to true 
else 
if equal [ msg "stop" ] 
then send i to user ; 

become accept [ ] dummy 
else dummy) 
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Appendix III 



Atolia: Comparison with Act1 and CSP 



Atolia is a toy language designed to illustrate actors. In most respects Atolia is merely a simplified 
form of the experimental language Actl.^ A multiprocessing version of a small dialect of Actl has 
been implemented on the MFF Lisp Machines using the Chaosnet for interprocessor communication. 
Nondeterministic single processor implementations with simulated concurrency exist for Atolia on the 
MIT Lisp Machines and on die MIT AI Lab's PDP-10. 

Actl has a number of syntactic features not found in Atolia. Whereas in Atolia continuations 
must be passed as explicit message components, Actl has conventions diat allov/ most continuations 
to be suppressed. Whereas an Atolia program can create actors only through the create command, 
Actl programs create many actors implicitly. These features of Actl make programming easier, but 
the large doses of syntactic sugar obscure what is really going on in terms of actor semantics. Since 
illustrating actor semantics is die whole purpose of Atolia, its syntax is less refined than Actl's. 

The only major semantic difference between Atolia and Actl is diat everything in Actl is con- 
sidered to be an actor. For example, the behavior of an actor in Actl is another actor; an actor's state 
variables arc also actors. This must not be taken too seriously because it leads to an infinite regress of 
message passing, as an actor consults its behavior to see what to do, and its behavior dien consults Us 
behavior, and so on. It is also hard to understand how a primiUve scrializer that has asked its behavior 

'Carl Hewitt, Giuseppe Altardi, and Henry Liebcrman, "Specifying and proving properties of guardians for distributed 
systems," Semantics of Concurrent Computation, Springer- Verlag Lecture Notes in Computer Science 70, 1979, pages 
316-336. 



158 



how to act on a message it has accepted can accept the behavior's reply while remaining locked from 
the original message.^ 

In Atolia, however, actors correspond to network addresses identifying code segments. The be- 
havior of an actor is not itself an actor, but is instead a mathematical fimction defined by the actor's 
code via a conventional programming language semantics. The behavior of an actor bears the same 
relation to the actor that the a priori meaning of a process bears to the process in die semantics of 
Communicating Sequential Processes.^ 

Actors in Atolia are similar in other ways to the processes of Communicating Sequential 
Processes (CSP).'' (So are the actors of Actl, but Atolia is more like CSP than is Actl.) Like CSP 
processes, actors cannot access each other's local variables, and aside from actors acting as data struc- 
tures there are no global variables. As with CSP processes, all interaction between actors takes place 
through message passing. 

CSP processes whose repetitive commands have only input guards and whose alternative com- 
mands have as guards either all input guards or all boolean guards are roughly comparable to actors 
whose command body contains no create commands. Atolia has no counterpart to the automatic 
terminadon of a repetitive command with input guards, however, so an actor requires some sort of 
condition to become true before it proceeds to the rest of its text (using become). 

CSP input commands must name the outputting process, while an actor can accept messages 
from actors it does not know about. CSP output commands cause the outputting process to wait until 
tlic target process accepts the message; an actor starts a message on its way and the actor proceeds, no 
permission or acknowledgement being required from die target actor. Each message sent in Atolia is 
eventually accepted by its target actor; a CSP output command may never finish execution because 
the target process never accepts the message. 

CSP has nothing resembling the c reate command of Atolia. A CSP program consists of a fixed 

number of processes, and the intercommunication topology of those processes is static. The process 

^The most recent version of Actl has, in fact, backed away from some of these views. 

'^Nissim France/, C A R lloare, Daniel J l.elimann, and Willem P dcRoever, "Semantics of nondeterminism, concurrency, 
and communication", / Computer and System Sciences 19, 1979, pages 290-308. 

^C A R lloare, "Communicating sequential processes", CACM 21, 8, August 1978, pages 666-677. 



159 



identifiers of input and output commands are constants, so ttiat die set of processes a given process 
can send to or receive from is apparent from its text. Atolia, in contrast, permits actors to be created 
dynamically. Actor names may be passed freely in messages, and may be bound as die value of 
identifiers. Indeed Atolia's syntax allows arbitrary expressions to appear in die target position of send 
commands. 

The fact that actors can be created does not imply diat Atolia is unsuitable for implementation 
on a fixed network of processors. Many actors are created only to serve as explicit continuations for 
recursive programs; actor creation of tiiis sort can be as inexpensive as recursive function calls in 
Lisp. In other instances actor creation corresponds to process creation. The questions of which actor 
creations should be implemented as local function calls and which should be implemented as concur- 
rent processes can be decided by a compiler based on its knowledge of the target machine. While 
there may be good reasons for retaining die conventional syntactic distinctions between fimction calls 
(generating implicit continuations) and process creation, it is an achievement of the actor model that 
process creation and continuation creation appear the same semantically. 
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Appendix IV 



Atolia: Formal Semantics 



This appendix presents die semantics of a toy language illustrating actors, culminating in die 
definition of a function 

g*: Act -> (A -+ F) 

giving for each program an assignment of initial behaviors to actors. This fiinction is the starting point 
for the power domain semantics of Chapter IV, modified for actor creation by die changes outlined in 
§V.4. 

The notation in this appendix is based on that of Robert Milne and Christopher Strachcy, A 
Theory of Programming Language Semantics.^ A one page summary appears at the end of diis appen- 
dix. Similar notation is used by Tennent, Gordon, and Stoy (see bibliography). 



'Chapman and Hall, Ix)ndon, 1976. 
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Syntactic domains 



Atolia 

(a toy language illustrating actors) 

Version 



IG Ide 
BG Bas 
OG Opr 
EG Exp 
FG Com 
$G Abs 
A G Dec 
EG Act 



identifiers 

bases 

operators 

expressions 

commands 

abstractions (scripts) 

local declarations 

actor script declarations 



Productions 

E ::= B I OE I I I [F^- •£„] 

I if Eo then Ei else E2 | (E) 

r ::= dummy | change I to E | become 4> | send F^ to Ei 

I create (E) T \ To; Ti | if E then To else Ti | (F) 

^ ::= accept [lo-In] E | A inside 4> | if E then % else 4>i | ($) 

A ::= I initially E | I = E | Ao; Ai | (A) 

E ::= (I = $) I Eo Ei 
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Value domains 



qGA 
7GG 

0GF 
T 

R 

H 

B 

cGV 

pGU 



{user} + {{program} xN) + ((AxM"^)xN) 

A X G 

V 

M -^ G -^ F X (A X M)* X F* 



T + N + R + H* 

T + N + R + H* + A + V* 

(Ide — ^ (V + {unbound})) x Ide" 

U -> F 



actors 

actor name generators 

messages 

behaviors 

truth values 

integers 

numbers 

characters 

basic values 

denoted values 

environments 

behavior continuations 
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Semantic functions 

<36: Bas -+ B 

0: Opr -4 V -^ V 

6: Exp -^ U -^ V 

Jf: Com -> U -> G -4 X -» X 

g': Com -+ U ~> G -^ (A X M)' 

C: Com -^ U -> G -^ F* 

HI: Com -+ U -+ G -^ U 

g: Com -> U -^ G -> 6 

•J: Abs -^ U -> F 

gS: Dec -> U -^ U 

5: Act -+ U -^ G -> U 

5: Act -^ G -^ G 

i": Act -^ U -^ F* 

g*: Act -* A -> F 
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6: Exp -> U -4 V 

siOEj-Xp.oioKeiEM 
epI = Ap.(pii)pi 

8|[[Eo- • -En]] = \p . (6[[Eo1p, . . . , epnlp) 
ejif Eo then Ei else E2I 

= Xp . (Xe . 6 E T -. ((e I T) -> glEil p, 6^2!^, error) 

(eiF^lp) 

g|(E)l=glEl 



if: Com -^U-^G-^X->X 

Jf [dummyl = Xp7X-X 
Jf [change I to E]| = Xp7x.X 
ir|[become $]| = Xp7x • (X// . "iFl^lp) 
JTjsend Eq to Eil = Xp7X-X 

jficreate (E) n = \pix- nnin^hi)omi)x 

•>riro;ril = X/nx.-N'riIl(^ro^7)(g|irolP7)(i^rolP7x) 

Jf|[if E then To else rj 

= Xp7X . (Xe . e E T -> ((e I T) -> ^[Eol^x, H^ilpix), error) 

mm 
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•T: Com -^ U -> G -^ (A X M)* 

•iTIdummyJ = Xp7.(> 

•iTIchange I to El = Xp7.() 

•iTIIbecome 4>] = Xp7.() 

g'lsend Eo to EiJ = Xp7.(Xe.e E A -^ <((e | A), glEoIpin M»,error)(gjEilp) 

g'Icreate (S) T} = \fn .nninnpl)^^!) 

g'lif E then To else Til 

= Xp7 • (Ae . e E T -> ((e | T) -4 'U'lTolpi, '^P'llPll error) 

imip) 



C: Com -^ U -> G -» F* 

Cldummy] = Xp7.(> 
Cjchange I to E] =X/ry.(> 
C[become $] =:Xp7.() 
Cjsend Eq to Fj = Xp7.(> 

cicreate (E) ^ = \pi .{nmsmpi))umii.^mpi)inni)) 

CiroiTil = X/ry.(Clrolp7)§(C|[rj(^lro]p7)(CiroI/t>7)) 
C|[if E then To else Ti] 

= X/)7 . (Xe . e E T -> ((e | T) -> Cpolpi, C[[riIP7), error) 

c|[(r)i=:Cir] 
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^L: Com -^ U -^ G -* U 

Ri|[dummy]| = X/ry . p 

aijchange I to E] = X/^. I G (p I 2) -^ p[g [El p/ 1], error 

^[become ^\ — \p^.p 

^[send Eo to Ei] = Xp7.p 

^[[create (E) n = \ri .updates p[\ilTWmp-i)(}lT.h)) 

aiiEo; rj - Xp7 • ^Fii mv^p^) mu\pi) 

ai|[if E then To else Vi\ 

= Xp7 . (Xe . e E T -^ ((e I T) -> aX|[ro]]/97, "Ulrijp^), error) 



Q: Com -+ U -> G -+ G 

g [dummy] = X/ry.^ 

g|[change I to E]] = Xp7.7 

Qjbecome 4>]| = X/?7-7 

gjsend F^ to Eil=Xp7.7 

(Jlcreate (E) E] - X/97. gri (3|!Slp7)(HSl7) 

g|iro;rj = Xp7.QriI(^rolP7)(giroIP7) 

gjif E then To else Fi] 

= Xp7 . (Xe . e E T --> ((e | T) -^ glFol/^, W\\pll error) 

(m\p) 

g|I{r)l = giri 
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cf: Abs -♦ U -> F 

g^Iaccept [lo-'-In] rj 

= /ia:(Xx-V-V7.(V.(-^riP'7X(^ry7), ^rip'7, Clrip'7» 

{{divert p {match (Iq, . . . , In) (/^ I V))) i 1, removes (Iq, . . . , In) {p i 2))) 
g^lA inside ^ = \p.^^{SlA]ip) 
'Jjif E then 4>o else ^J 

= Xp . (X€ . £ E T -. ((e I T) -> n^oU ^I^Jp), error) 
(SlElp) 



3): Dec -> U -> U 

g5p initially El - Xp . (W6lElp/Il) i 1, (p j 2) § (I)) 
-Jp = EI = \p . {{p[&mp/l]) i 1, remove I {p I 2)> 
^lAo; Ail = Xp.3)|lAil(g5|[Aolp) 
g5[(A)l=^[Al 
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5: Act -^ U -^ G -+ U 

5J(I = 4))I = Ap7.M7il)/Il)il,remo^eI(pi2)> 
SjEo Ell = ^Pl • ^I^^il (3[[So1p7) (H^oh) 



5: Act -^ G -> G 

H(I = <I>)l = X7.7i2 



:f: Act -> U -> F* 

m^ - ^)i = v.(^m(Pii,(»> 

:fISo Eil = \p.{n^oMHn^ih) 
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9: Act — ^ A -+ F 

^[E] = beh{:flE} (5|[E] Pinitiallinitial)) 

where 

Pinitiai ■-= ((>^I . (I = user) -> user, unbound), { > > 

linitiai = gamma program 

and 

beh: F* -> A -+ F 

is defined by 

6e/i0* user = fix{\(j) . X/i7 . {(f), ( ), ( })) 

beh (t>* {program, u) =^ (j)* [ [u -\- 1) 

beh (f)* {{a, fx*), u) = ({[behav a [beh (f>*Q) (droplast y.*)) 

[last /i*) [gamma {a, ^i*))) i 3) | (i/ -{- 1) 

last /Li* = /i* J, f ^* 

droplast yi* is tlie sequence /ij such that^wj § (^* j f^*) = /i*. 
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Auxiliary functions 

p[e/I] = ((XF = I->6,(pil)ir]),pi2> 
arid = ((XI . unbound), { )) 

divert: U -+ U 

divertpopi = ((XI . (pi i 1) p] 7^ unbound -> (pi i 1) pl, (ad i 1) PI), (po i 2) § (pi i 2)> 

remove: Ide -+ Ide* —^ Ide* 

remove Ix = [0 = §x) —* { ), (I = (a; J, 1) — > remove l{x] 1), 

((^^ i 1)) § remove I (a: f 1)) 

removes: Ide* — + Ide* — > Ide* 

removes 1* a: = (0 = f I*) — + x, removes (I* j 1) 

{remove {\* I i)x) 

updates : U -^ U — ♦ U 

updates popi = (XI* . (0 = f (pi i 2)) -> po, (XI . updates (po[(pi i 1) PI /I]) 

{{Pi i 1). (I* t 1)» 
(I* i 1)) 
(Pi i 2) 
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match: Ide* -+ V -* U 
match r e 

= (0 = f r) -+ arid, 

e E V* -4 (0 = f (e I V*) -^ diveri (arid[( )/I]) {match (I* f 1) e), 

divert (arid[(e i 1)/I]) {match {I* f 1) (e f 1))), 
di?;ert {arid[e/l]) {match (I* f 1) e) 

gam,ma: {{program,} +(AxM))— *G 
gamma x = {fix{\f . \xi/ . { {x, i/), fx{u-\- 1)))) 
xO 

behav: A — ^ F — ^ M* — ^ F 
behav a^^i* 

= {fix{\f. \a<l>ti*Qixl . (0 = if^a -^<l>,fct 

((0 W i i) {gamma {a, til § (^u^ j !»)) j 1) 
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Notation 

All domains in tliis appendix are complete lattices. 

The separated sum of lattices L\), . . . , Dn is defined in Milne and Strachcy, and is written D = 
Do + • • • + Dn- If X belongs to the sum D, then x B Di tells whether x is in the summand A- 
X I Di is the projection of x to A, while y in D indicates the injection of y into Z> for y a member 
of a summand ofD. While some of the semantic equations may omit some injections and projections, 
injections and projections into and from the domains A, G, and M will always be given explicitly. These 
domains must be treated witli care because it is easy to confuse some of their elements with elements 
of V. For example, an element e E V can never be an element of M although e in M is always an 
element of M. Similarly no element of A is an element of V*. 

The product of lattices is written A) x • • • x A. Elements of the product are written 
{.-C(), . . . , Xn), and the projections are indicated by {xq, . . . , Xn) i i + 1 = Xi. 

D* is the lattice of finite sequences fromD, including the empty sequence ( ). If 5 is a metavari- 
able used to range over the domain D, then 8* indicates an arbitrary element of D*. "^Tlie length 
of a sequence 6* is indicated by f (5*, so that |( ) = and f (6o, . . . , ^n) = n -\- I when n > 0. 
Projections are indicated by (^o, • • • , <^n) i * + 1 = ^i- ^q^^\ is the concatenation of <5J and 8\. 6*\n 
indicates the finite sequence obtained by dropping the first n elements of tlie sequence 6*. When 6* is 
a sequence, x E8* tells whether there exists an integer i such that 6* {i = x. 

Do —^ Di is the lattice of continuous functions from Do to Di. Unlike sums and products, 
function lattices are always formed from exactly two domains. Do -+ Di — > Dz is taken to mean 
Do -> (A -. A). 

Function application is indicated by juxtapositioji, associating to the left unless parentheses in- 
struct otherwise. Lambda abstraction is written \x . y. 

fix is tlie usual fixed point operator. 

X —^ yo, yi is yb if a; is true, yi if a: is false, undefined if a: is undefined, and error if re = error. 
Kach domain is assumed to have a special element error that is to be preserved under all the semantic 
equations, tliough the special tests for error have been left out of the equations in the interest of 
informal clarity. 
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